Contrail Service Orchestration User Guide

Contrail Service Orchestration User Guide
Release
3.1
Modified: 2018-02-11
Copyright © 2018, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in
the United States and other countries. All other trademarks may be property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Contrail Service Orchestration User Guide
3.1
Copyright © 2018 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that
EULA.
ii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Part 1
Administration Portal
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Unified Administration and Customer Portal Overview . . . . . . . . . . . . . . . . . . . . . . 3
Administration Portal Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Logging in to Administration Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Switching the Tenant Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Changing the Administration Portal Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Changing the Password on First Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Resetting the Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Setting Password Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Extending the User Login Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Setting Up the Cloud CPE Centralized Deployment Model with Administration
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Setting Up the Cloud CPE Distributed Deployment Model with Administration
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2
Managing Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Creating Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Modifying an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deleting Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Viewing Object Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Searching for Text in an Object Data Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Sorting Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 3
Using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
About the Administration Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Copyright © 2018, Juniper Networks, Inc.
iii
Contrail Service Orchestration User Guide
Chapter 4
Monitoring Tenants, Sites, and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
About the Monitor Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
About the Monitor Tenants Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
About the Monitor POPs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
About the Monitor Sites Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
About the Monitor Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Chapter 5
Monitoring Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
About the Generated Alerts Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter 6
Monitoring SD-WAN Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
About the SD-WAN Alert Definitions Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Creating SD-WAN Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Editing and Deleting SD-WAN Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Editing an SD-WAN Alert Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Deleting SD-WAN Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Chapter 7
Monitoring Device Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
About the Device Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 8
Monitoring Tenants SLA Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
About the SLA Performance of All Tenants Page . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
About the SLA Performance of a Single Tenant Page . . . . . . . . . . . . . . . . . . . . . . 39
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Viewing the SLA Performance of a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
SLA Not Met by SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Applications SLA Performance by Throughput . . . . . . . . . . . . . . . . . . . . . . . . 43
SLA Performance for ALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Viewing the SLA Performance of an Application or Application Group . . . . . . . . 46
iv
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Chapter 9
Monitoring Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
About the Jobs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Viewing Job Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Editing and Deleting Scheduled Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Editing Scheduled Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Deleting Scheduled Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Retrying a Failed Job on Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Chapter 10
Managing POPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
About the POPs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating a Single POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Adding Information About the POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Adding a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Adding a VIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Adding an EMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Reviewing and Saving the POP Configuration Settings . . . . . . . . . . . . . . . . . . 67
Importing Data for Multiple POPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Customizing a POP Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Uploading a POP Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Viewing the History of POP Data Imports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Viewing the History of POP Data Deletions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Managing a Single POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
About the VIMs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Creating a Cloud VIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
About the EMS Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Creating an EMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Changing the Junos Space Virtual Appliance Password . . . . . . . . . . . . . . . . . . . . 85
About the Routers Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Creating Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configuring Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Adding a Hub Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
View the History of Device Data Deletions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Copyright © 2018, Juniper Networks, Inc.
v
Contrail Service Orchestration User Guide
Chapter 11
Managing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
About the Devices Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Managing a Single CPE Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Configuring Activation Data for a Single Device . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Configuring Activation Data for Multiple Devices . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Customizing an Activation Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Uploading an Activation Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Viewing the History of Activation Data Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Viewing the History of Deactivation Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Viewing the History of Device Activation Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Chapter 12
Managing Device Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
About the Device Template Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Cloning a Device Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Importing a Device Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Creating a Device Template File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Importing a Device Template File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring a Device Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Configuring Template Settings in a Device Template . . . . . . . . . . . . . . . . . . . 118
Updating Stage-2 Configuration Template in a Device Template . . . . . . . . . 120
Configuring Stage-2 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Modifying a Device Template Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Deleting a Device Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Chapter 13
Managing Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Device Images Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
About the Device Images Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Deploying Device Images to Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Uploading a Device Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Deleting Device Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Chapter 14
Configuring Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Network Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
About the Network Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
About the Service Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
vi
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
About the Service Instances Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Configuring VNF Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Assigning a Service to Tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Removing a Service from Tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Viewing a Service Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
vSRX VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
LxCIPtable VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Cisco CSR-1000v VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Riverbed Steelhead VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Silver Peak VX VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Managing a Single Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 15
Configuring Application SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
SLA Profiles and SD-WAN Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
SD-WAN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
About the Application SLA Profiles Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Creating SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Editing and Deleting SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Editing an SLA Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Deleting SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Chapter 16
Configuring Application Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Application Signatures Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
About the Application Signatures Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Creating Application Signature Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Editing, Cloning, and Deleting Application Signature Groups . . . . . . . . . . . . . . . . 168
Editing Application Signature Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Cloning Application Signature Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Deleting Application Signature Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Chapter 17
Managing Tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Tenant Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
About the Tenants Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Managing a Single Tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
About the Tenant Sites Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Copyright © 2018, Juniper Networks, Inc.
vii
Contrail Service Orchestration User Guide
About the Tenant Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Importing Data for Multiple Tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Creating a Tenant Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Importing Tenant Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Adding a Single Tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Adding Service Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Viewing the History of Imported Tenant Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Viewing the History of Deleted Tenant Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Allocating Network Services to a Tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Chapter 18
Configuring MSP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Role-Based Access Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
About the Service Provider Users Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Adding Service Provider Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Editing and Deleting Service Provider Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Editing Service Provider Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Deleting Service Provider Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Chapter 19
Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Authentication Methods Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
About the Authentication Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Editing Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Configuring a Single Sign-On Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Editing and Deleting SSO Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Editing SSO Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Delete SSO Server Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Configuring SMTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Chapter 20
Configuring Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
About the Licenses Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Uploading a License File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Chapter 21
Managing Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Signature Database Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
About the Active Database Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Scheduling Signature Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Installing Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
viii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Part 2
Customer Portal
Chapter 22
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Unified Administration and Customer Portal Overview . . . . . . . . . . . . . . . . . . . . . 211
Customer Portal Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Switching the Tenant Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Accessing Customer Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Setting Up Your Network with Customer Portal . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Changing the Password on First Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Changing the Customer Portal Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Resetting the Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Extending the User Login Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Chapter 23
Using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
About the Customer Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Chapter 24
Managing Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Sorting Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Viewing Object Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Searching for Text in an Object Data Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Chapter 25
Monitoring Tenants, Sites, and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
About the Monitor Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
About the Monitor Tenants Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
About the Monitor Sites Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
About the Monitor Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Chapter 26
Monitoring Security Alerts and Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Security Alerts Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
About the Generated Alerts Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
About the Security Alerts Definitions Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Creating Security Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Editing and Deleting Security Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Editing Security Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Deleting Security Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Cloning Security Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Copyright © 2018, Juniper Networks, Inc.
ix
Contrail Service Orchestration User Guide
Chapter 27
Monitoring Security and Device Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
About the All Security Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Detail View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
About the Firewall Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Detail View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
About the Web Filtering Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Detail View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
About the IPsec VPNs Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Detail View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
About the Content Filtering Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Detail View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
About the Antispam Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Detail View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
About the Antivirus Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Detail View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
About the IPS Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Detail View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
About the Device Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Chapter 28
Monitoring SD-WAN Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
SD-WAN Events Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
About the SD-WAN Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
x
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Chapter 29
Monitoring Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
About the SLA Performance of a Single Tenant Page . . . . . . . . . . . . . . . . . . . . . 265
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Viewing the SLA Performance of a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
SLA Not Met by SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Applications SLA Performance by Throughput . . . . . . . . . . . . . . . . . . . . . . . 269
SLA Performance for ALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Viewing the SLA Performance of an Application or Application Group . . . . . . . . 272
Application Visibility Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
About the Application Visibility Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Chart View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Grid View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Selecting Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Chapter 30
Monitoring Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
About the Jobs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Editing and Deleting Scheduled Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Editing Scheduled Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Deleting Scheduled Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Viewing Job Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Chapter 31
Managing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
About the Devices Page . . . . . .
Tasks You Can Perform . . .
Field Descriptions . . . . . . .
Managing a Single CPE Device
Chapter 32
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
283
283
283
285
Managing Device Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Device Images Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
About the Device Images Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Deleting Device Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Chapter 33
Managing Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Network Service Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
About the Network Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
About the Service Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Copyright © 2018, Juniper Networks, Inc.
xi
Contrail Service Orchestration User Guide
About the Service Instances Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Configuring VNF Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
vSRX VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
LxCIPtable VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Cisco CSR-1000v VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Riverbed Steelhead VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . 305
Silver Peak VX VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Chapter 34
Managing Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Firewall Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
About the Firewall Policy Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Firewall Policy Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Firewall Policy Use Case - 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Firewall Policy Use Case - 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Firewall Policy Use Case - 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Firewall Policy Use Case - 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Firewall Policy Use Case - 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Creating Firewall Policy Intents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Editing, Cloning, and Deleting Firewall Policy Intents . . . . . . . . . . . . . . . . . . . . . . 321
Editing Firewall Policy Intents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Cloning Firewall Policy Intents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Deleting Firewall Policy Intents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Firewall Policy Schedules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
About the Firewall Policy Schedules Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Creating Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Editing, Cloning, and Deleting Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Editing Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Cloning Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Deleting Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Chapter 35
Managing SD-WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
SLA Profiles and SD-WAN Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
SD-WAN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
About the SD-WAN Policy Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Creating SD-WAN Policy Intents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Editing and Deleting SD-WAN Policy Intents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Editing SD-WAN Policy Intents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Deleting SD-WAN Policy Intents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
xii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
About the Application SLA Profiles Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Creating SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Editing and Deleting SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Editing an SLA Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Deleting SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Chapter 36
Managing NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
NAT Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
About the NAT Policies Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Creating NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Editing and Deleting NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Editing NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Deleting NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Managing NAT Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Creating NAT Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Editing NAT Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Cloning NAT Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Deleting NAT Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Deploying NAT Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Chapter 37
Managing Shared Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Addresses and Address Groups Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
About the Addresses Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Creating Addresses or Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Editing, Cloning, and Deleting Addresses and Address Groups . . . . . . . . . . . . . . 357
Editing Addresses and Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Cloning Addresses and Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Deleting Addresses and Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Services and Service Groups Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
About the Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Creating Services and Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Creating Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Editing and Deleting Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Editing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Deleting Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Editing, Cloning, and Deleting Services and Service Groups . . . . . . . . . . . . . . . . 366
Editing Services and Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Cloning Services or Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Deleting Services and Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Application Signatures Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Copyright © 2018, Juniper Networks, Inc.
xiii
Contrail Service Orchestration User Guide
About the Application Signatures Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Creating Application Signature Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Editing, Cloning, and Deleting Application Signature Groups . . . . . . . . . . . . . . . 370
Editing Application Signature Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Cloning Application Signature Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Deleting Application Signature Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
About the Departments Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Creating a Department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Modifying a Department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Deleting a Department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Chapter 38
Managing Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Deploying Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
About the Deployments Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Using the Deployment Icon to Deploy Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Deploying Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Chapter 39
Managing Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
About the Sites Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Creating On-Premise Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Creating Cloud Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Configuring a Site by Uploading a JSON File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Managing a Single Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Managing LAN Segments on a Tenant Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Creating LAN Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Modifying LAN Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Deleting LAN Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Activating a CPE Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Viewing the History of Device Activation Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Configuring a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Configuring VRFs and PNE Details for a Site in a Centralized Deployment . . . . . 397
Chapter 40
Managing Site Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
About the Site Groups Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Creating Site Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
xiv
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Chapter 41
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
About the Report Definitions Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Performing Different Actions on Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
About the Generated Reports Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Creating Log Report Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Creating Bandwidth Report Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Editing and Deleting Log Report Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Editing the Log Report Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Deleting Log Report Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Editing and Deleting Bandwidth Report Definitions . . . . . . . . . . . . . . . . . . . . . . 409
Editing the Bandwidth Report Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Deleting Bandwidth Report Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Chapter 42
Managing Tenant Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Role-Based Access Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
About the Tenant Users Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Adding Tenant Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Editing and Deleting Tenant Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Editing Tenant Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Deleting Tenant Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Chapter 43
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
About the Licenses Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Chapter 44
Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Signature Database Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
About the Active Database Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Installing Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Part 3
Designer Tools
Chapter 45
Configuration Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Configuration Designer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Accessing the Configuration Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Using the Configuration Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
About the Requests Page for the Configuration Designer . . . . . . . . . . . . . . . . . . 429
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Copyright © 2018, Juniper Networks, Inc.
xv
Contrail Service Orchestration User Guide
Creating Requests for Configuration Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Designing Templates with a YANG Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 431
Designing Templates with a Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Publishing Configuration Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
About the Designs Page for the Configuration Designer . . . . . . . . . . . . . . . . . . . 439
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Cloning Configuration Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Deleting Configuration Template Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Chapter 46
Resource Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Resource Designer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Using the Resource Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Accessing the Resource Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
About the Requests Page for the Resource Designer . . . . . . . . . . . . . . . . . . . . . 446
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
VNF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Creating Requests for VNF Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Designing VNF Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Creating Basic VNF Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Adding Flavor Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Adding Standard and Custom Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Designing a Supported Function Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Viewing the Summary of VNF Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Adding VNF Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Publishing VNF Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
About the Designs Page for the Resource Designer . . . . . . . . . . . . . . . . . . . . . . . 458
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Cloning VNF Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Importing VNF Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Exporting VNF Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Deleting VNF Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Chapter 47
Network Service Designer introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Network Service Designer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Accessing Network Service Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Chapter 48
Creating Requests for Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Network Services and Service Chains Overview . . . . . . . . . . . . . . . . . . . . . . . . . 465
Performance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
About the Requests Page for the Network Service Designer . . . . . . . . . . . . . . . . 467
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Creating Requests for Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Creating a Functional Service Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Configuring Performance Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Viewing Requests for Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
xvi
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Chapter 49
Creating Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
About the Build Page for the Network Service Designer . . . . . . . . . . . . . . . . . . . . 473
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Viewing Information About VNFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Designing Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Designing a Network Service for a Centralized Deployment . . . . . . . . . . . . . 476
Designing a Network Service for a Distributed Deployment . . . . . . . . . . . . . 477
Connecting VNFs in a Service Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Defining Ingress and Egress Points for a Service Chain . . . . . . . . . . . . . . . . . . . . 479
Monitoring Performance Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Configuring Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
vSRX Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
LxCIPtable VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Cisco CSR-1000v VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Silver Peak VX VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Riverbed Steelhead VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . 493
Chapter 50
Managing Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
About the Designs Page for the Network Service Designer . . . . . . . . . . . . . . . . . 495
Tasks You Can Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Field Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Publishing Network Service Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Copying Network Service Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Editing Network Service Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Deleting Network Service Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Viewing Network Service Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Part 4
Service and Infrastructure Monitor
Chapter 51
Service and Infrastructure Monitor introduction . . . . . . . . . . . . . . . . . . . . . 503
Service and Infrastructure Monitor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Accessing the Service and Infrastructure Monitor GUI . . . . . . . . . . . . . . . . . . . . . 504
Chapter 52
Monitoring Activities in the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Monitoring Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Monitoring VNFs Used in Network Services and the VMs That Host the VNFs . . 506
Monitoring Microservices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Monitoring Microservices and Their Host VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Monitoring Physical Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Copyright © 2018, Juniper Networks, Inc.
xvii
Contrail Service Orchestration User Guide
xviii
Copyright © 2018, Juniper Networks, Inc.
List of Figures
Part 3
Designer Tools
Chapter 45
Configuration Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Figure 1: Configuration Designer Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Chapter 46
Resource Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Figure 2: Resource Designer Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Chapter 48
Creating Requests for Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Figure 3: Service Chain with One VNF Instance That Provides All Functions . . . 466
Figure 4: Service Chain with Either Multiple Instances of the Same VNF or Multiple
VNFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Copyright © 2018, Juniper Networks, Inc.
xix
Contrail Service Orchestration User Guide
xx
Copyright © 2018, Juniper Networks, Inc.
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Part 1
Administration Portal
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Fields on the Change Password Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 4: Fields on the Reset Password Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 3
Using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 5: Widgets on the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 4
Monitoring Tenants, Sites, and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 6: Fields on the Monitor Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 7: Fields on the Monitor Tenants Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 8: Fields on the Tenant Alert Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 9: Fields on the Monitor POPs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Table 10: Fields on the POP Alert Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Table 11: Fields on the Monitor Sites Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Table 12: Fields on the Sites Alert Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Table 13: Fields on the Monitor Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Table 14: Fields on the Services Alert Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Chapter 5
Monitoring Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Table 15: Fields on the Generated Alerts Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter 6
Monitoring SD-WAN Alert Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 16: Fields on the SD-WAN Alert Definitions Page . . . . . . . . . . . . . . . . . . . . . 30
Table 17: Fields on the Create SD-WAN Alert Definition Page . . . . . . . . . . . . . . . . 30
Chapter 7
Monitoring Device Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 18: Fields on the Device Events Detailed View Page . . . . . . . . . . . . . . . . . . . 34
Chapter 8
Monitoring Tenants SLA Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Table 19: Fields on the Tenants SLA Performance Page . . . . . . . . . . . . . . . . . . . . 38
Table 20: Fields on the Tenants SLA Performance Page . . . . . . . . . . . . . . . . . . . . 38
Table 21: Fields on the SLA Performance of a Single Tenant Page . . . . . . . . . . . . 40
Table 22: Fields on the SLA Performance of a Single Tenant Page in Card and
Grid Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 23: Fields on the Applications SLA Performance by Throughput Grid
View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 24: Fields on the Application or Application Group Details Page . . . . . . . . . 46
Copyright © 2018, Juniper Networks, Inc.
xxi
Contrail Service Orchestration User Guide
Chapter 9
Monitoring Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Table 25: Fields on the Jobs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Table 26: Fields on the Scheduled Jobs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 10
Managing POPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Table 27: Widgets on the POPs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Table 28: Fields on the POPs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Table 29: Fields on the Add POP page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Table 30: Fields on the Add Device Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Table 31: Fields on the Add Cloud VIM Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Table 32: Fields on the Add EMS Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Table 33: Fields on the POPs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Table 34: Fields on the Import History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Table 35: Fields on the Import POPs Tasks Page . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Table 36: Fields on the Job Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Table 37: Fields on the Delete History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 38: Fields on the Delete POPs Tasks Page . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 39: Fields on the Job Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 40: Widgets on the VIMs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 41: Fields on the VIMs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 42: Fields on the Add Cloud VIM Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Table 43: Fields on the EMS Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Table 44: Fields on the Add EMS Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Table 45: Change Password Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 46: Fields on the Routers Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 47: Fields on the Add Device Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 48: Fields on the PNE Configure Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 49: Fields on the Add Hub Device Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Table 50: Fields on the Delete History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Table 51: Fields on the Delete Device Tasks Page . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Table 52: Fields on the Job Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Chapter 11
Managing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Table 53: Widgets on the Devices Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Table 54: Fields on the Devices Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Table 55: Fields on the Ship Device Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Table 56: CPE Data Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Table 57: Fields on the Ship CPE Details Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Table 58: Fields on the Ship History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Table 59: Fields on the Ship Tasks Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Table 60: Fields on the Job Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Table 61: Fields on the Delete History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Table 62: Fields on the Ship CPEs Tasks Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Table 63: Fields on the Job Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Table 64: Fields on the ZTP History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Table 65: Fields on the ZTP Logs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Table 66: Fields on the Job Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Chapter 12
Managing Device Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Table 67: Fields on the Device Templates Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
xxii
Copyright © 2018, Juniper Networks, Inc.
List of Tables
Table 68: Device Templates Supported on NFX250 Device . . . . . . . . . . . . . . . . . 114
Table 69: Device Templates Supported on SRX Series Services Gateways . . . . . 114
Table 70: Fields on the Template Settings Page . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Table 71: Fields on the Stage-2 Configuration Templates Page . . . . . . . . . . . . . . 120
Table 72: Fields on the Add New Template Page . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Table 73: Fields for the VLAN Settings on the Stage-2 Initial Configuration
Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Table 74: Fields for the LAN Settings on the Stage-2 Initial Configuration
Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Table 75: Fields for the SRX Basic SD-WAN Settings on the Stage-2 Initial
Configuration Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Chapter 13
Managing Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Table 76: Fields on the Images Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Table 77: Fields on the Upgrade History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Table 78: Fields on the Deploy Image: Select Devices Page . . . . . . . . . . . . . . . . . 130
Table 79: Fields on the Upload Device Image Page . . . . . . . . . . . . . . . . . . . . . . . . 131
Chapter 14
Configuring Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Table 80: Widgets on the Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Table 81: Fields on the Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Table 82: Fields on the Service Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Table 83: Fields on the Service Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Table 84: Fields on the Service Instances Page . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Table 85: Fields on the Service Instance Details Page . . . . . . . . . . . . . . . . . . . . . 140
Table 86: Fields for the vSRX Base Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Table 87: Fields for the vSRX Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Table 88: Fields for the vSRX NAT Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Table 89: Fields for the vSRX UTM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Table 90: Fields for the LxCIP Base Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Table 91: Fields for the LxCIP Firewall Policy Settings . . . . . . . . . . . . . . . . . . . . . . 151
Table 92: Fields for the LxCIP NAT Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . 152
Table 93: Fields for the CSR-1000v Base Settings . . . . . . . . . . . . . . . . . . . . . . . . 153
Table 94: Fields for the CSR-1000v Firewall Settings . . . . . . . . . . . . . . . . . . . . . . 153
Chapter 15
Configuring Application SLA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Table 95: SLA Profile Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Table 96: Fields on the Application SLA Profiles Page . . . . . . . . . . . . . . . . . . . . . 160
Table 97: Create SLA Profile - General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Table 98: Create SLA Profile - Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . 162
Chapter 16
Configuring Application Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Table 99: Fields on the Application Signatures Page . . . . . . . . . . . . . . . . . . . . . . 166
Table 100: Fields on the Create Application Signature Group Page . . . . . . . . . . . 167
Chapter 17
Managing Tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Table 101: Widget on the Tenants Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Table 102: Fields on the Tenants Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Table 103: Fields on the Tenant Sites Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Table 104: Fields on the Tenant Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Table 105: Tenant Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Copyright © 2018, Juniper Networks, Inc.
xxiii
Contrail Service Orchestration User Guide
Table 106: Fields on the Tenant Configuration Page . . . . . . . . . . . . . . . . . . . . . . . 180
Table 107: Fields on the Add Service Profile Page . . . . . . . . . . . . . . . . . . . . . . . . . 182
Table 108: Fields on the Import History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Table 109: Fields on the Import Tenants Task Page . . . . . . . . . . . . . . . . . . . . . . . 184
Table 110: Fields on the Job Status Page for Imported Tenant Data . . . . . . . . . . . 184
Table 111: Fields on the Delete History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Table 112: Fields on the Delete Tenants Tasks Page . . . . . . . . . . . . . . . . . . . . . . . 185
Table 113: Fields on the Job Status Page for Deleted Tenant Data . . . . . . . . . . . . 186
Chapter 18
Configuring MSP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Table 114: Roles and Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Table 115: Fields on the Users Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Table 116: Fields on the Add User Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Chapter 19
Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Table 117: Fields on the Authentication Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Table 118: Fields on the Authentication Type Page . . . . . . . . . . . . . . . . . . . . . . . . 195
Table 119: Fields on the Single Sign-On Server Page . . . . . . . . . . . . . . . . . . . . . . . 197
Table 120: Attribute Values and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Table 121: SMTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Chapter 20
Configuring Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Table 122: Fields on the License Files Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Table 123: Fields on the Upload License File page . . . . . . . . . . . . . . . . . . . . . . . . 203
Chapter 21
Managing Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Table 124: Fields on the Active Database Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Part 2
Customer Portal
Chapter 22
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Table 125: Customer Portal Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Table 126: Fields on the Change Password Page . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Table 127: Fields on the Reset Password Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Chapter 23
Using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Table 128: Widgets on the Customer Portal Dashboard . . . . . . . . . . . . . . . . . . . . 220
Chapter 25
Monitoring Tenants, Sites, and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Table 129: Fields on the Monitor Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Table 130: Fields on the Monitor Tenants Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Table 131: Fields on the Tenant Alert Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . 227
Table 132: Fields on the Monitor Sites Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Table 133: Fields on the Sites Alert Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Table 134: Fields on the Monitor Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Table 135: Fields on the Services Alert Detail Page . . . . . . . . . . . . . . . . . . . . . . . . 230
Chapter 26
Monitoring Security Alerts and Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Table 136: Fields on the Generated Alerts Page . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Table 137: Fields on the Security Alert Definitions Page . . . . . . . . . . . . . . . . . . . . 233
Table 138: Fields on the Security Alert Definitions Page . . . . . . . . . . . . . . . . . . . . 234
Chapter 27
xxiv
Monitoring Security and Device Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Copyright © 2018, Juniper Networks, Inc.
List of Tables
Table 139: Widgets on the All Events Summary View Page . . . . . . . . . . . . . . . . . 238
Table 140: Fields on the All Events Detail View Page . . . . . . . . . . . . . . . . . . . . . . 239
Table 141: Widgets on the Summary View Page . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Table 142: Fields on the Detail View Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Table 143: Widgets on the Summary View Page . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Table 144: Fields on the Detail View Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Table 145: Widgets on the Summary View Page . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Table 146: Fields on the Detail View Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Table 147: Widgets on the Summary View Page . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Table 148: Fields on the Detail View Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Table 149: Fields on the Detail View Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Table 150: Widgets on the Summary Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Table 151: Fields on the Detail View Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Table 152: Widgets on the Summary Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Table 153: Fields on the Detail View Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Table 154: Fields on the Device Events Detailed View Page . . . . . . . . . . . . . . . . . 259
Chapter 28
Monitoring SD-WAN Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Table 155: Fields on the SD-WAN Events Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Chapter 29
Monitoring Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Table 156: Fields on the SLA Performance of a Single Tenant Page . . . . . . . . . . 266
Table 157: Fields on the SLA Performance of a Single Tenant Page in Card and
Grid Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Table 158: Fields on the Applications SLA Performance by Throughput Grid
View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Table 159: Fields on the Application or Application Group Details Page . . . . . . . 272
Table 160: Fields on the Chart View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Table 161: Widgets on the Grid View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Table 162: Detailed View of Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Chapter 30
Monitoring Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Table 163: Fields on the Jobs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Table 164: Fields on the Scheduled Jobs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Chapter 31
Managing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Table 165: Widgets on the Devices Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Table 166: Fields on the Devices Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Chapter 32
Managing Device Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Table 167: Fields on the Device Images Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Chapter 33
Managing Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Table 168: Widgets on the Network Services Page . . . . . . . . . . . . . . . . . . . . . . . . 292
Table 169: Fields on the Network Services Page . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Table 170: Fields on the Network Service Detail Page . . . . . . . . . . . . . . . . . . . . . 293
Table 171: Fields on the Service Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Table 172: Fields on the Service Instances Page . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 173: Fields on the Service Instance Details Page . . . . . . . . . . . . . . . . . . . . . 296
Table 174: Fields for the vSRX Base Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Table 175: Fields for the vSRX Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Copyright © 2018, Juniper Networks, Inc.
xxv
Contrail Service Orchestration User Guide
Table 176: Fields for the LxCIP Base Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Table 177: Fields for the LxCIP Firewall Policy Settings . . . . . . . . . . . . . . . . . . . . . 302
Table 178: Fields for the LxCIP NAT Policy Settings . . . . . . . . . . . . . . . . . . . . . . . 303
Table 179: Fields for the CSR-1000v Base Settings . . . . . . . . . . . . . . . . . . . . . . . 304
Table 180: Fields for the CSR-1000v Firewall Settings . . . . . . . . . . . . . . . . . . . . 305
Chapter 34
Managing Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Table 181: Fields on the Firewall Policy Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 182: Firewall Policy Use Case - 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Table 183: Firewall Policy Use Case - 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Table 184: Firewall Policy Use Case - 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Table 185: Firewall Policy Use Case - 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Table 186: Firewall Policy Use Case - 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Table 187: Fields on the Create Firewall Policy Page . . . . . . . . . . . . . . . . . . . . . . . 312
Table 188: Fields on the Firewall Policy Schedules Page . . . . . . . . . . . . . . . . . . . 324
Table 189: Fields on the Create Schedules Page . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Chapter 35
Managing SD-WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Table 190: SLA Profile Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Table 191: Fields on the SD-WAN Policy Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Table 192: Fields on the Create SD-WAN Policy Intent Page . . . . . . . . . . . . . . . . 334
Table 193: Fields on the Application SLA Profiles Page . . . . . . . . . . . . . . . . . . . . 338
Table 194: Create SLA Profile - General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Table 195: Create SLA Profile - Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . 340
Chapter 36
Managing NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Table 196: Fields on the NAT Policies Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Table 197: Fields on the Create NAT Policy Page . . . . . . . . . . . . . . . . . . . . . . . . . 346
Table 198: Fields on the Create NAT Policy Rule Page . . . . . . . . . . . . . . . . . . . . . 349
Chapter 37
Managing Shared Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Table 199: Fields on the Addresses Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Table 200: Fields on the Create Addresses Page . . . . . . . . . . . . . . . . . . . . . . . . . 355
Table 201: Address Group Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Table 202: Fields on the Service Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Table 203: Service Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Table 204: Service Group Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Table 205: Fields on Create Protocol Page Settings . . . . . . . . . . . . . . . . . . . . . . . 363
Table 206: Create Protocol Type Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Table 207: Fields on the Application Signatures Page . . . . . . . . . . . . . . . . . . . . . 369
Table 208: Fields on the Create Application Signature Group Page . . . . . . . . . . 370
Table 209: Fields on the Departments Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Table 210: Fields on the Create Departments Page . . . . . . . . . . . . . . . . . . . . . . . 373
Table 211: Fields on the Edit Department Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Chapter 38
Managing Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Table 212: Fields on the Deployments Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Table 213: Fields on the Deployment Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Table 214: Fields on the Deploy Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Chapter 39
xxvi
Managing Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Copyright © 2018, Juniper Networks, Inc.
List of Tables
Table 215: Fields on the Sites Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Table 216: Fields on the Add On-Premise Site Page . . . . . . . . . . . . . . . . . . . . . . . 385
Table 217: Fields on the Add Cloud Site Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Table 218: Create LAN Segment Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Table 219: Fields on the Activate Device Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Table 220: Fields on the ZTP History Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Table 221: Fields on the ZTP Logs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Table 222: Fields on the Job Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Table 223: Fields on the Configure Site Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Table 224: Fields on the Device Configuration Page . . . . . . . . . . . . . . . . . . . . . . . 397
Chapter 40
Managing Site Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Table 225: Fields on the Site Groups Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Chapter 41
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Table 226: Fields on the Report Definitions Page . . . . . . . . . . . . . . . . . . . . . . . . . 402
Table 227: Fields on the Generated Reports Page . . . . . . . . . . . . . . . . . . . . . . . . 404
Table 228: Fields on the Create Log Report Definition Page . . . . . . . . . . . . . . . . 405
Table 229: Fields on the Create Bandwidth Report Definition Page . . . . . . . . . . 407
Chapter 42
Managing Tenant Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Table 230: Roles and Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Table 231: Fields on the Users Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Table 232: Fields on the Add User Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Chapter 43
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Table 233: Fields on the License Files Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Chapter 44
Signature Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Table 234: Fields on the Active Database Page . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Part 3
Designer Tools
Chapter 45
Configuration Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Table 235: Fields on the Changing Password Page . . . . . . . . . . . . . . . . . . . . . . . 428
Table 236: Fields on the Requests Page for the Configuration Designer . . . . . . . 430
Table 237: Fields on the New Template Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Table 238: Sample Fields on the Validate Template Page . . . . . . . . . . . . . . . . . . 433
Table 239: Sample Fields on the Customize Variables Page . . . . . . . . . . . . . . . . 437
Table 240: Fields on the Configuration Template Designs Page . . . . . . . . . . . . . 440
Chapter 46
Resource Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Table 241: Fields on the Requests Page for the Resource Designer . . . . . . . . . . . 446
Table 242: VNFs Supported by the Cloud CPE Solution . . . . . . . . . . . . . . . . . . . 448
Table 243: Fields on the New Request Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Table 244: Fields on the VNF Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Table 245: New Flavor Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Table 246: Assurance Parameters of the Network Function . . . . . . . . . . . . . . . . 455
Table 247: Add VNF Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Table 248: Fields on the Designs Page for the Resource Designer . . . . . . . . . . . 458
Chapter 48
Creating Requests for Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Copyright © 2018, Juniper Networks, Inc.
xxvii
Contrail Service Orchestration User Guide
Table 249: Fields on the Requests Page for the Network Service Designer . . . . . 467
Table 250: Fields on the New Request Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Table 251: Fields on the Performance Goal Page . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Chapter 49
Creating Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Table 252: Fields on the Network Service Build Page . . . . . . . . . . . . . . . . . . . . . . 474
Table 253: Fields for the vSRX Base Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Table 254: Fields for the vSRX Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . 484
Table 255: Fields for the vSRX NAT Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Table 256: Fields for the vSRX UTM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Table 257: Fields for the LxCIP Base Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Table 258: Fields for the LxCIP Firewall Policy Settings . . . . . . . . . . . . . . . . . . . 490
Table 259: Fields for the LxCIP NAT Policy Settings . . . . . . . . . . . . . . . . . . . . . . . 491
Table 260: Fields for the CSR-1000v Base Settings . . . . . . . . . . . . . . . . . . . . . . 492
Table 261: Fields for the CSR-1000v Firewall Settings . . . . . . . . . . . . . . . . . . . . . 492
Chapter 50
Managing Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Table 262: Fields on the Designs Page for the Network Service Designer . . . . . . 496
Part 4
Service and Infrastructure Monitor
Chapter 52
Monitoring Activities in the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Table 263: Parameters for Monitoring Network Services . . . . . . . . . . . . . . . . . . . 505
Table 264: Parameters for Monitoring VNFs and Their Host VMs . . . . . . . . . . . . 507
Table 265: Parameters for Monitoring Microservices . . . . . . . . . . . . . . . . . . . . . . 510
Table 266: Parameters for Monitoring VNFs and Their Host VMs . . . . . . . . . . . . . 511
Table 267: Parameters for Monitoring Physical Servers . . . . . . . . . . . . . . . . . . . . 513
xxviii
Copyright © 2018, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page xxix
•
Documentation Conventions on page xxix
•
Documentation Feedback on page xxxi
•
Requesting Technical Support on page xxxii
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page xxx defines notice icons used in this guide.
Copyright © 2018, Juniper Networks, Inc.
xxix
Contrail Service Orchestration User Guide
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page xxx defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
xxx
Represents output that appears on the
terminal screen.
user@host> show chassis alarms
•
Introduces or emphasizes important
new terms.
•
•
Identifies guide names.
A policy term is a named structure
that defines match conditions and
actions.
•
Identifies RFC and Internet draft titles.
•
Junos OS CLI User Guide
•
RFC 1997, BGP Communities Attribute
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
No alarms currently active
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Copyright © 2018, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
Text like this
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
•
To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.
•
The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
Represents graphical user interface (GUI)
items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of menu
selections.
•
In the Logical Interfaces box, select
All Interfaces.
•
To cancel the configuration, click
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
•
Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
Copyright © 2018, Juniper Networks, Inc.
xxxi
Contrail Service Orchestration User Guide
•
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
Find product documentation: http://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
xxxii
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2018, Juniper Networks, Inc.
About the Documentation
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
Copyright © 2018, Juniper Networks, Inc.
xxxiii
Contrail Service Orchestration User Guide
xxxiv
Copyright © 2018, Juniper Networks, Inc.
PART 1
Administration Portal
•
Introduction on page 3
•
Managing Objects on page 13
•
Using the Dashboard on page 17
•
Monitoring Tenants, Sites, and Services on page 19
•
Monitoring Alerts on page 27
•
Monitoring SD-WAN Alert Definitions on page 29
•
Monitoring Device Events on page 33
•
Monitoring Tenants SLA Performance on page 37
•
Monitoring Jobs on page 49
•
Managing POPs on page 55
•
Managing Devices on page 97
•
Managing Device Templates on page 111
•
Managing Software Images on page 127
•
Configuring Network Services on page 135
•
Configuring Application SLA Profiles on page 157
•
Configuring Application Signatures on page 165
•
Managing Tenants on page 171
•
Configuring MSP Users on page 187
•
Configuring Authentication on page 193
•
Configuring Licenses on page 201
•
Managing Signature Database on page 205
Copyright © 2018, Juniper Networks, Inc.
1
Contrail Service Orchestration User Guide
2
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 1
Introduction
•
Unified Administration and Customer Portal Overview on page 3
•
Administration Portal Overview on page 4
•
Logging in to Administration Portal on page 5
•
Switching the Tenant Scope on page 5
•
Changing the Administration Portal Password on page 6
•
Changing the Password on First Login on page 7
•
Resetting the Password on page 8
•
Setting Password Duration on page 9
•
Extending the User Login Session on page 10
•
Setting Up the Cloud CPE Centralized Deployment Model with Administration
Portal on page 11
•
Setting Up the Cloud CPE Distributed Deployment Model with Administration
Portal on page 11
Unified Administration and Customer Portal Overview
Contrail Service Orchestration supports a unified portal for both service provider users
and tenant users and for the services managed and consumed by the administrators and
tenants.
The unified portal contains the features of vCPE, uCPE, and SD-WAN for both
Administration and Customer portals; enforces role-based access control (RBAC), which
prevents tenants from accessing administrator data; and supports different backend
authentication methods for service provider users and tenant users.
The unified portal enable service providers to deploy Juniper Networks security features
as a virtualized network function (VNF) function either in distributed or centralized mode
or in the branch SRX Series device. This VNF provides advanced firewall and Network
Address Translation (NAT) management capabilities to end users from a single pane of
glass (SPOG) user interface, in a multitenant environment. This integrated user experience
can leverage the rich features or functionality supported in the Security Director
application. Service provider administrators are able to manage all phases of the security
policy life cycle more quickly and intuitively, from policy creation through deployment.
Copyright © 2018, Juniper Networks, Inc.
3
Contrail Service Orchestration User Guide
Firewall and NAT management features include policy configuration such as rule analysis,
rule reordering, event viewer for firewall and NAT events, alerts and alarms, logs and
dashboard widgets. All features have RBAC enforced, which enables either the MSP
administrator or the tenant administrator to configure policies for the tenant.
In addition to security management, the unified portal provides capabilities such as bulk
image upgrade, chassis view, configuration backup, and reboot. The unified portal also
provides SD-WAN capabilities with integrated firewall, NAT management, and device
management.
Related
Documentation
•
SLA Profiles and SD-WAN Policies Overview on page 157
•
Device Images Overview on page 127
Administration Portal Overview
Administration Portal offers service providers a convenient way to set up and manage
resources, customers, and availability of network services through a graphical user
interface (GUI).
When you use Administration Portal, you are actually creating and managing objects
used by the following APIs in the Cloud CPE Centralized Deployment Model and Cloud
CPE Distributed Deployment Model.
•
Cloud CPE Tenant, Site, and Service Manager API, which manages customers (also
called tenants), manages customer sites, and maps each customer’s network services
to the appropriate gateway resources, such as the Layer 2 access interfaces and routing
instances.
•
Identity and Access Manager API, which manages identifiers and roles for customers
and users.
•
Network Service Orchestration API, which manages network services and communicates
with Contrail OpenStack, the virtualized infrastructure manager (VIM).
•
Contrail OpenStack API, which manages network points of presence (POPs), service
chains, and virtual machines (VMs) that contain service chains.
You can also set up and manage the Cloud CPE Centralized Deployment Model and
Cloud CPE Distributed Deployment Model through API calls, either manually or from your
operational support systems and business support systems (OSS/BSS). This method
is more complex, especially if you use your own OSS/BSS, in which case you must perform
development and integration work. Use of Administration Portal is particularly beneficial
for companies who require a turnkey solution and do not want to expend effort on
developing programs to set up and manage the deployment through APIs. Even if you
plan to use your own OSS/BSS systems to set up and manage the Cloud CPE Centralized
Deployment Model and Cloud CPE Distributed Deployment Model in a production
environment, Administration Portal can prove useful for demonstrations and trials of the
deployment.
4
Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Introduction
Related
Documentation
•
Setting Up the Cloud CPE Centralized Deployment Model with Administration Portal
on page 11
•
Setting Up the Cloud CPE Distributed Deployment Model with Administration Portal
on page 11
•
Logging in to Administration Portal on page 5
Logging in to Administration Portal
To start Administration Portal:
1.
Review the Keystone username and password that you defined for Contrail OpenStack.
You can view these settings on the Contrail Configure and Control node in the files
/etc/contrail/keystonerc and /etc/contrail/openstackrc.
2. Using a Web browser, access the URL for Administration Portal. The URL for
Administration Portal is https://Central-IP-Address, where the Central-IP-Address
denotes the IP address of the virtual machine (VM) that hosts the microservices for
the central POP.
For example, if the IP address of the VM is 192.0.2.1, then the URL is https://192.0.2.1.
NOTE: We recommend that you use Google Chrome Version 60 or later
to access the Contrail Service Orchestration (CSO) GUIs.
3. Log in with the username cspadmin and password that you specified for Contrail
OpenStack.
The Dashboard page appears.
NOTE: For the distributed deployment model, use the default password
that is specified in the roles.conf file during installation.
Related
Documentation
•
Administration Portal Overview on page 4
Switching the Tenant Scope
Administration Portal users can change the tenant scope from all tenants to a specific
tenant by using the tenant switcher displayed on the banner.
When you switch scope from all tenants to a specific tenant, the menu and pages
displayed are almost the same as those displayed for Customer Portal users, with some
Copyright © 2018, Juniper Networks, Inc.
5
Contrail Service Orchestration User Guide
additional actions visible to the Administration Portal users. When you switch back to
the All Tenants scope, the menu and pages for the Administration Portal are displayed.
To switch from one scope to another:
•
Related
Documentation
From the top right corner of the page, select the All Tenants scope to access
Administration Portal or select a specific tenant (for example, aaa) to access Customer
Portal. The menu and pages for Administration Portal or Customer Portal are displayed
based on the scope selected from the drop-down list.
•
Unified Administration and Customer Portal Overview on page 3
•
Role-Based Access Control Overview on page 187
Changing the Administration Portal Password
To change the Administration Portal password:
1.
Click the administrative username that is located at the right side of the Administration
Portal banner.
The drop-down list appears.
2. Click Change Password.
The Change Password page appears.
NOTE: If you change the password for Administration Portal, the new
password is saved in Contrail and applies to other GUIs, such as Network
Service Designer.
3. Enter the current password.
4. In the New Password text box, enter your new password.
The login password that you set must conform to a particular set of requirements
such as minimum length of 6 characters, a maximum length of 21 characters, and that
includes at least one lowercase letter, one uppercase letter, an alpha-numeric
character, and a numeric character.
5. In the Confirm Password text box, enter your new password again to confirm it.
You can select the Show Password option to view the password.
6. Click OK.
6
Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Introduction
You are logged out of the system. To log in to Administration Portal again, you must
use your new password. Other sessions logged in with the same username are
unaffected until the next login.
Related
Documentation
•
Administration Portal Overview on page 4
•
Logging in to Administration Portal on page 5
Changing the Password on First Login
To enhance the security related to login credentials, you are prompted to change the
password when you login to the portal for the first time.
To change the password when you log in for the first time:
1.
Log in to the portal with the default login credentials.
The Change Password page appears with a message that you must change your
password for security purposes.
NOTE: The Change Password page appears only if you are logging in to
the portal for the first time.
2. Change your password following the guidelines provided in Table 3 on page 7.
3. Click Ok.
NOTE: It is mandatory to change the login password when you log in to
the portal for the first time. If you click Cancel, you are redirected to the
login page.
The login password is changed and you are logged out of the system. To log in to the
portal again, you must use your new password.
Table 3: Fields on the Change Password Page
Field
Description
New Password
Enter your new password.
The login password that you set must be between 6 and 21 characters long, and it must include at
least one lowercase letter, one uppercase letter, one special character, and one number.
NOTE: The password strength indicator displays the efficiency of the password that you enter. You
cannot proceed to the next step if the password strength indicator shows that the password is
weak.
Copyright © 2018, Juniper Networks, Inc.
7
Contrail Service Orchestration User Guide
Table 3: Fields on the Change Password Page (continued)
Field
Description
Confirm Password
Reenter the password for confirmation.
You can select Show Password to view the password.
Related
Documentation
•
Logging in to Administration Portal on page 5
•
Changing the Administration Portal Password on page 6
•
Resetting the Password on page 8
•
Setting Password Duration on page 9
Resetting the Password
If you have forgotten your password, you can reset the password from the login screen.
NOTE: Your account is locked after five consecutive unsuccessful login
attempts.
To reset the password:
1.
On the login page, click the Forgot Password link.
The Forgot Password page appears, with a message that an e-mail notification with
a verification code is sent to your e-mail address.
NOTE: The Forgot Password link appears only after you specify the
username.
2. In Verification Code, specify the verification code that you have received through an
e-mail.
NOTE: The verification code expires after a time duration of 15 minutes.
3. Click OK.
The Reset Password page appears.
4. Change your password following the guidelines provided in Table 4 on page 9.
5. Click OK.
8
Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Introduction
Your password is reset.
Table 4: Fields on the Reset Password Page
Field
Description
Username
Enter your username.
New Password
Enter your new password.
The login password that you set must be between 6 and 21 characters long, and it must include
at least one lowercase letter, one uppercase letter, one special character, and one number.
NOTE: The password strength indicator displays the efficiency of the password that you enter.
You cannot proceed to the next step if the password strength indicator shows that the password
is weak.
Confirm Password
Reenter the password for confirmation.
You can select Show Password to view the password.
Related
Documentation
•
Logging in to Administration Portal on page 5
•
Changing the Administration Portal Password on page 6
•
Changing the Password on First Login on page 7
•
Setting Password Duration on page 9
Setting Password Duration
To enhance the security related to login credentials, you can specify the duration (in
days) after which the password expires and must be changed. You must set the duration
while you are adding a tenant.
To set the duration (in days) after which the password expires:
1.
Log in to Administration Portal.
2. Select Tenants > All Tenants > +.
The Add Tenant page appears.
3. In the Tenant Info > Password Policy section, for User Password Expires select one of
the following option:
•
Never—If you select this option, the password never expires.
•
After specified number of days—If you select this option, the Password Expiration
Days field appears.
Copyright © 2018, Juniper Networks, Inc.
9
Contrail Service Orchestration User Guide
In Password Expiration Days, specify the duration (in days) after which the password
expires and must be changed. You can specify the duration (in days) from 1 through
365. The default value is 180 days.
4. Complete the remaining steps for adding a tenant. For more information about adding
a tenant, see “Adding a Single Tenant” on page 179.
If the tenant user (Tenant Administrator role or Tenant Operator role) has the password
expiration days specified, then the tenant user must change the password after the
specified duration elapses.
Related
Documentation
•
Logging in to Administration Portal on page 5
•
Changing the Administration Portal Password on page 6
•
Changing the Password on First Login on page 7
•
Resetting the Password on page 8
Extending the User Login Session
In the unified portal, a login session expires in 60 minutes. After 55 minutes, the Extend
Session page is displayed and, prompting you to enter your password. You must enter
your password to extend the session. The Extend Session page is displayed when the
Local authentication method is configured.
If you have logged in to the portal with SSO authentication, the Extend Session page is
displayed and you can authenticate with the external SSO server. However, the SSO
expiration is not under the control of CSO and the following can happen:
•
If the external SSO session is expired, you will be authenticated in the Extend Session
page. After successful authentication, the Extend Session page is closed automatically.
•
If the external SSO session is not expired, the Extend Session page is closed
automatically.
To extend the login session:
1.
On the Extend Session page, enter your password in the Password field. If you want
to end your session and exit from the portal, click Cancel instead and you are redirected
to the Login page.
2. Click OK.
The success message Your Session has been successfully extended is displayed.
Related
Documentation
10
•
Changing the Administration Portal Password on page 6
Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Introduction
Setting Up the Cloud CPE Centralized Deployment Model with Administration Portal
In the Cloud CPE Centralized Deployment Model, end users at a specific customer site
access most network services in a regional point of presence (POP), while accessing a
few specialist network services in the central POP.
You use the following workflow to set up the Cloud CPE Centralized Deployment Model
with Administration Portal:
1.
Create the POPs and associated resources. See “Creating a Single POP” on page 57
and “Importing Data for Multiple POPs” on page 68.
•
You must create a VIM for each POP.
•
You can add an MX Series router as a physical network element (PNE) to provide
a Layer 3 routing service to customer sites through use of virtual routing and
forwarding (VRF) instances.
•
You add the Junos Space element management system (EMS) if you use a VNF
that requires this EMS.
2. Create customers. See “Adding a Single Tenant” on page 179 and “Importing Data for
Multiple Tenants” on page 175.
3. If you add customers one at a time, rather than importing data for multiple tenants,
create and configure sites for each customer:
•
•
You must create each site individually.You can create the following sites:
•
On-Premise sites—required for all customer sites. See “Creating On-Premise
Sites” on page 384.
•
Cloud sites—required for all service providers. See “Creating Cloud Sites” on
page 386.
•
Data Center—Only required for a network in which users access the Internet
through the corporate VPN.
If you configured a PNE in Step 1, then associate the PNE with the site and configure
a VRF for each customer site. See “Configuring VRFs and PNE Details for a Site in
a Centralized Deployment” on page 397
4. Allocate network services to customers. See “Assigning a Service to Tenants” on
page 141
Related
Documentation
•
Logging in to Administration Portal on page 5
•
Administration Portal Overview on page 4
Setting Up the Cloud CPE Distributed Deployment Model with Administration Portal
In the Cloud CPE Distributed Deployment Model, end users at a specific customer site
access network services in both a regional point of presence (POP) and a central POP.
Copyright © 2018, Juniper Networks, Inc.
11
Contrail Service Orchestration User Guide
You use the following workflow to set up the Cloud CPE Distributed Deployment Model
with Administration Portal:
1.
Add data for the POPs and provider edge (PE) router. See “Creating a Single POP” on
page 57 and “Importing Data for Multiple POPs” on page 68.
2. Upload images for devices used in the deployment, such as the vSRX gateway and
the NFX 250 platform to the central activation server. See “Uploading a Device Image”
on page 131.
3. Upload VNF images. See “Uploading a Device Image” on page 131.
4. Create customers. See “Adding a Single Tenant” on page 179 and “Importing Data for
Multiple Tenants” on page 175.
5. If you add customers one at a time, rather than importing data for multiple tenants,
create and configure sites for each customer. .
6. Configure activation data for NFX Series devices. See “Configuring Activation Data
for a Single Device” on page 100.
7. Allocate network services to customers. See “Assigning a Service to Tenants” on
page 141.
Related
Documentation
12
•
Logging in to Administration Portal on page 5
•
Administration Portal Overview on page 4
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 2
Managing Objects
•
Creating Objects on page 13
•
Modifying an Object on page 13
•
Deleting Objects on page 14
•
Viewing Object Details on page 14
•
Searching for Text in an Object Data Table on page 15
•
Sorting Objects on page 15
Creating Objects
You can use the create icon (+) in the top right corner of a page to create an object on
that page.
To create an object:
1.
Click the + icon.
The object configuration page appears.
2. Update the configuration as needed.
See the relevant About the Objects Page topic for a description of the fields.
3. Click Upload.
The object information that you updated appears in the main page.
Related
Documentation
•
Deleting Objects on page 14
Modifying an Object
You can use the pencil icon in the top right of a page to modify or edit an object on that
page.
Copyright © 2018, Juniper Networks, Inc.
13
Contrail Service Orchestration User Guide
To modify an object:
1.
Select the check box of the object that you want to modify, and click the pencil icon.
The object configuration page appears.
2. Update the configuration as needed.
3. Click Save.
The object information that you updated appears in the main page.
Related
Documentation
•
Deleting Objects on page 14
Deleting Objects
You can use the delete icon (X) in the top right corner of a page to delete an object on
that page.
To delete an object:
1.
Select the object that you want to delete and click the X icon.
The Confirm Delete page appears.
2. Click Yes to delete the object or No to cancel the deletion.
The object information is deleted from the main page.
Related
Documentation
•
Creating Objects on page 13
Viewing Object Details
You can use the Detailed View page to view all the configured parameters of an object.
Only some of the configured parameters appear in the list of features on the main page.
To view details for an object:
•
Right-click the object that you want to see the detailed view for and click Quick View,
or select the object and click More > Details.
•
Alternatively, hover over the object name and click the Detailed View icon that appears
before it.
The Detailed View page appears showing the configuration information. See the relevant
About the Objects Page topic for a description of the fields on these pages.
14
Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Managing Objects
Related
Documentation
•
Deleting Objects on page 14
Searching for Text in an Object Data Table
You can use the search icon in the top right corner of a page to search for text containing
letters and special characters on that page.
To search for text:
1.
Enter partial text or full text of the keyword in the search bar and click the search icon.
The search results are displayed.
2. Click X next to a search keyword or click Clear All to clear the search results.
Related
Documentation
•
Creating Objects on page 13
Sorting Objects
You can use the Show Hide Columns icon in the top right corner of a page to show or hide
objects on a page. You can also sort the objects in a page by clicking the object column.
The following options are available for sorting the objects:
•
Sort text in alphabetical order.
•
Sort numbers in ascending or descending order.
•
Sort by date or time.
•
Rearrange columns in a table.
•
Increase or decrease column width.
To show or hide an object:
1.
Click the Show Hide Columns icon.
The objects that are relevant to the page are displayed. By default all objects are
selected and displayed on the page.
2. Select the objects that need to be displayed on the page and clear the objects that
are not required to be displayed.
The objects are displayed or hidden as per the selection.
Related
Documentation
•
Creating Objects on page 13
Copyright © 2018, Juniper Networks, Inc.
15
Contrail Service Orchestration User Guide
16
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 3
Using the Dashboard
•
About the Administration Portal Dashboard on page 17
About the Administration Portal Dashboard
To access this page, click Administration Portal > Dashboard.
Each time you log in to the Administration Portal, the first thing you see is a
user-configurable dashboard that offers you a customized view of network services
through its widgets.
You can drag these widgets from the carousel at the top of your dashboard to your
workspace, where you can add, remove, and rearrange them to meet your needs. For
example, you can configure a widget to display a graph with the top five tenants receiving
alerts, the status of alerts, and the name of tenant sites.
The dashboard automatically adjusts the placement of the widgets to dynamically fit
on your browser window without changing their order. You can manually reorder the
widgets using the drag and drop option. In addition, you can press and hold the top portion
of the widget to move it to a new location.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Customize the dashboard by adding, removing, and rearranging the widgets on a per
user basis.
•
Update the dashboard or an individual widget by clicking the refresh icon.
•
Show or hide widget thumbnails in the carousel by clicking Select Widgets at the top
of the page.
•
Add a widget to the dashboard by dragging the widget from the palette or thumbnail
container into the workspace.
•
Delete a widget from the dashboard page by clicking the X icon in the title bar.
Field Descriptions
You can quickly view important data using the widgets at the top of your dashboard.
Copyright © 2018, Juniper Networks, Inc.
17
Contrail Service Orchestration User Guide
Table 5 on page 18 describes the dashboard widgets.
Table 5: Widgets on the Dashboard
Widget
Description
Alerts Donut Chart
View the total number of alerts grouped by severity level.
Click each alert name to view the total number of tenant sites receiving alerts that are
critical, major, or minor.
Top 5 POPs with Alerts
View the top five POPs receiving alerts.
Top 5 Sites with Alerts
18
POP—Name of the POP.
•
Tenant—Number of tenants in the POP.
•
Location—Location of the POP.
•
Status—Type of alerts received that are critical, major or minor.
View the top five tenant sites receiving alerts.
Top 5 Tenants with Alerts
Related
Documentation
•
•
Name—Name of the tenant site.
•
Location—Location of the tenant site.
•
Status—Type of alerts received that are critical, major, or minor.
View the top five tenants receiving alerts.
•
•
Name—Name of the tenant.
•
Sites—Number of sites in the tenant location.
•
Status—Type of alerts received that are critical, major, or minor.
Administration Portal Overview on page 4
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 4
Monitoring Tenants, Sites, and Services
•
About the Monitor Overview Page on page 19
•
About the Monitor Tenants Page on page 20
•
About the Monitor POPs Page on page 22
•
About the Monitor Sites Page on page 23
•
About the Monitor Services Page on page 25
About the Monitor Overview Page
To access this page, click Monitor > Overview.
You can use the Monitor Overview page to view information about the alarms and alerts
for tenants, POPs, connections, and sites on a geographical map. The network operator
views the alarms and alerts, and then takes the necessary actions to resolve the issues.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View POP details.
•
View site details.
•
View connections.
•
View only the nodes with alerts.
Field Descriptions
Table 6 on page 19 shows the descriptions of the fields on the Monitor Overview page.
Table 6: Fields on the Monitor Overview Page
Field
Description
POPs
View the POP in which the site is located.
Click the POPs drop-down list and select POP Name. Enter the name of the POP.
Copyright © 2018, Juniper Networks, Inc.
19
Contrail Service Orchestration User Guide
Table 6: Fields on the Monitor Overview Page (continued)
Field
Description
Sites
View the sites at which the service is deployed.
Click the Sites drop-down list and enter the name of the site.
Connections
View the connections in the network.
Click the Connections drop-down list and select Show connections.
Only the node with
alerts
View the nodes with issues with the service.
Click the drop-down list located next to the Only the nodes with alerts check box and select the type of
alerts.
•
Critical—Issues that prevent the node from working and require action from the operator. The nodes
with critical alerts are displayed in red.
•
Major—Issues that prevent the node from working at this time, but they do not require action from
the operator. The nodes with major alerts are displayed in orange.
•
Minor—Issues that allow a node to continue working, but not optimally. The network operator may
need to take action to resolve the issue. The nodes with minor alerts are displayed in yellow.
NOTE: The nodes without any alerts are displayed in blue.
Related
Documentation
•
About the Monitor Tenants Page on page 20
•
About the Monitor POPs Page on page 22
•
About the Monitor Sites Page on page 23
About the Monitor Tenants Page
To access this page, click Monitor > Alarms & Alerts > Tenants.
You can use the Monitor Tenants page to view information about the alarms and alerts
for the tenants. The network operator views the alarms and alerts related to the tenants
and takes the necessary action to resolve the issues.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a tenant. Click the details icon for the tenant. See “Viewing Object
Details” on page 14.
•
Show or hide columns about the tenant on the Tenants page. See “Sorting Objects”
on page 15.
Field Descriptions
Table 7 on page 21 shows the descriptions of the fields on the Monitor Tenants page.
20
Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Monitoring Tenants, Sites, and Services
Table 8 on page 21 shows the descriptions of the fields on the Tenant Alert Detail page.
Table 7: Fields on the Monitor Tenants Page
Field
Description
Tenant
View the name of the tenant.
Click the tenant name to view more details about the tenant alert.
Critical Alert Count
View the total number of critical alerts for the tenant. Critical issues prevent the tenant from
working and require action from the operator.
Major Alert Count
View the total number of major alerts for the tenant. Major issues prevent the tenant from
working at that point of time, but they do not require action from the operator.
Minor Alert Count
View the total number of minor alerts for the tenant. Minor issues allow a tenant to continue
working, but not optimally. The network operator may need to take action to resolve the issue.
Table 8: Fields on the Tenant Alert Detail Page
Field
Description
Alert Name
View the alert name.
Alert Type
View the alert type.
Severity
View the severity type of the alert. The available options are major, minor, and
critical.
Object Type
View the object type.
Region
View the region of alert.
Alert Count
View the total number of alerts for the tenant.
Description
View the description of the alert.
Start Time
View the start time of the alert.
Last Updated
View the date and time when the alert was last updated.
Related
Documentation
•
About the Monitor Overview Page on page 19
•
About the Monitor POPs Page on page 22
•
About the Monitor Sites Page on page 23
Copyright © 2018, Juniper Networks, Inc.
21
Contrail Service Orchestration User Guide
About the Monitor POPs Page
To access this page, click Monitor > Alarms & Alerts > POPs.
You can use the Monitor POPs page to view information about the alarms and alerts for
the POPs. The network operator views the alarms and alerts related to the POPs and
takes the necessary actions to resolve the issues.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a POP. Click the details icon for the POP. See “Viewing Object
Details” on page 14.
•
Show or hide columns about the POP on the POP page. See “Sorting Objects” on
page 15.
Field Descriptions
Table 9 on page 22 shows the descriptions of the fields on the Monitor POPs page.
Table 10 on page 22 shows the descriptions of the fields on the POP Alert Detail page.
Table 9: Fields on the Monitor POPs Page
Field
Description
POPs
View the name of the POP.
Click the POP name to view more details about the POP alert.
Location
View the location of the POP.
Critical Alert Count
View the total number of critical alerts for the POP. Critical issues prevent the POP from
working and require action from the operator.
Major Alert Count
View the total number of major alerts for the POP. Major issues prevent the POP from working
at that point of time, but they do not require action from the operator.
Minor Alert Count
View the total number of minor alerts for the POP. Minor issues allow a POP to continue
working, but not optimally. The network operator may need to take action to resolve the issue.
Table 10: Fields on the POP Alert Detail Page
Field
Description
Alert Name
View the alert name.
Alert Type
View the alert type.
Severity
View the severity type of the alert. The available options are major, minor, and
critical.
22
Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Monitoring Tenants, Sites, and Services
Table 10: Fields on the POP Alert Detail Page (continued)
Field
Description
Object Type
View the object type.
Region
View the region of alert.
Alert Count
View the total number of alerts for the POP .
Description
View the description of the alert.
Start Time
View the start time of the alert.
Last Updated
View the date and time when the alert was last updated.
Related
Documentation
•
About the Monitor Overview Page on page 19
•
About the Monitor Tenants Page on page 20
•
About the Monitor Sites Page on page 23
About the Monitor Sites Page
To access this page, click Monitor > Alarms & Alerts > Sites.
You can use the Monitor Sites page to view information about the alarms and alerts for
the tenant sites. The network operator views the alarms and alerts related to the tenant
sites and takes the necessary actions to resolve the issues.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a tenant site. Click the details icon for the tenant site. See “Viewing
Object Details” on page 14.
•
Show or hide columns about the tenant site on the CPEs page. See “Sorting Objects”
on page 15.
Field Descriptions
Table 11 on page 24 shows the descriptions of the fields on the Monitor Sites page.
Table 12 on page 24 shows the descriptions of the fields on the Sites Alert Detail page.
Copyright © 2018, Juniper Networks, Inc.
23
Contrail Service Orchestration User Guide
Table 11: Fields on the Monitor Sites Page
Field
Description
Site
View the name of the site.
Click the site name to view more details about the site alert.
Tenant
View the name of the tenant.
Location
View the location of the site.
Critical Alert Count
View the total number of critical alerts for the site. Critical issues prevent the site from working
and require action from the operator.
Major Alert Count
View the total number of major alerts for the site. Major issues prevent the site from working
at that point of time, but they do not require action from the operator.
Minor Alert Count
View the total number of minor alerts for the site. Minor issues allow a site to continue working,
but not optimally. The network operator may need to take action to resolve the issue.
Table 12: Fields on the Sites Alert Detail Page
Field
Description
Alert Name
View the alert name.
Alert Type
View the alert type.
Severity
View the severity type of the alert. The available options are major, minor, and
critical.
Object Type
View the object type.
Region
View the region of alert.
Alert Count
View the total number of alerts for the site.
Description
View the description of the alert.
Start Time
View the start time of the alert.
Last Updated
View the date and time when the alert was last updated.
Related
Documentation
24
•
About the Monitor Overview Page on page 19
•
About the Monitor Tenants Page on page 20
•
About the Monitor POPs Page on page 22
Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Monitoring Tenants, Sites, and Services
About the Monitor Services Page
To access this page, click Monitor > Alarms & Alerts > Services.
You can use the Monitor Sites page to view information about the alarms and alerts for
the network services. The network operator views the alarms and alerts related to the
tenant sites and takes the necessary actions to resolve the issues.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a network service. Click the details icon for the network service. See
“Viewing Object Details” on page 14.
•
Show or hide columns about the network service on the Network Services page. See
“Sorting Objects” on page 15.
Field Descriptions
Table 13 on page 25 shows the descriptions of the fields on the Monitor Services page.
Table 14 on page 25 shows the descriptions of the fields on the Services Alert Detail page.
Table 13: Fields on the Monitor Services Page
Field
Description
Service
View the name of the service.
Click the service name to view more details about the site alert.
Service Profile
View the name of the service profile.
Critical Alert Count
View the total number of critical alerts for the service. Critical issues prevent the service from
working and require action from the operator.
Major Alert Count
View the total number of major alerts for the service. Major issues prevent the service from
working at that point of time, but they do not require action from the operator.
Minor Alert Count
View the total number of minor alerts for the service. Minor issues allow a service to continue
working, but not optimally. The network operator may need to take action to resolve the issue.
Table 14: Fields on the Services Alert Detail Page
Field
Description
Alert Name
View the alert name.
Alert Type
View the alert type.
Severity
View the severity type of the alert. The available options are major, minor, and
critical.
Copyright © 2018, Juniper Networks, Inc.
25
Contrail Service Orchestration User Guide
Table 14: Fields on the Services Alert Detail Page (continued)
Field
Description
Object Type
View the object type.
Region
View the region of alert.
Alert Count
View the total number of alerts for the site.
Description
View the description of the alert.
Start Time
View the start time of the alert.
Last Updated
View the date and time when the alert was last updated.
Related
Documentation
26
•
About the Monitor Overview Page on page 19
•
About the Monitor Tenants Page on page 20
•
About the Monitor POPs Page on page 22
•
About the Monitor Sites Page on page 23
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 5
Monitoring Alerts
•
About the Generated Alerts Page on page 27
About the Generated Alerts Page
To access this page, click Monitor > Alerts & Alarms > Alerts.
Use this page to view the system event-based alerts in response to a configured alert
definition. The generated alerts help you to identify problems that appear in your
monitored network environment and displays both security and SD-WAN alerts. You can
view statistics such as the number of critical and non-critical alerts.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Select the generated alert and then right-click or click More > Detail View.
•
Select the generated alert and then right-click or click More > Clear All Selections.
Field Descriptions
Table 15 on page 27 provides guidelines on using the fields on the Generated Alerts page.
Table 15: Fields on the Generated Alerts Page
Field
Description
Time
View the date and time when the alert was generated.
Alert Name
View the name of the alert.
Alert Description
View the description of the alert.
Source
View the source.
Alert Type
View the type of alert.
Severity
View the severity of the alert.
Tenant
View the name of the tenant.
Copyright © 2018, Juniper Networks, Inc.
27
Contrail Service Orchestration User Guide
Table 15: Fields on the Generated Alerts Page (continued)
Field
Description
Site
View the tenant site
Object Type
View the object type
Alert ID
View the alert ID.
Related
Documentation
28
•
About the SD-WAN Alert Definitions Page on page 29
•
Creating SD-WAN Alert Definitions on page 30
•
Editing and Deleting SD-WAN Alert Definitions on page 31
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 6
Monitoring SD-WAN Alert Definitions
•
About the SD-WAN Alert Definitions Page on page 29
•
Creating SD-WAN Alert Definitions on page 30
•
Editing and Deleting SD-WAN Alert Definitions on page 31
About the SD-WAN Alert Definitions Page
To access this page, select Monitor > Alarms & Alerts > SD-WAN Alert Definitions in the
Administration Portal.
You can use the SD-WAN Alert Definitions page to view and manage alert definitions for
SD-WAN. An alert definition consists of data criterion for triggering alerts about issues
in the SD-WAN environment. Alert definitions also define the necessary action required
to resolve issues based on the severity of the alert. An alert is triggered when the event
threshold exceeds the data criteria that is defined. You can create an alert definition to
monitor your data in real time and identify issues and attacks before they impact your
network.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View existing SD-WAN Alert Definitions.
•
Create SD-WAN alert definitions. See “Creating SD-WAN Alert Definitions” on page 30.
•
Edit or delete an existing SD-WAN alert definition. See “Editing and Deleting SD-WAN
Alert Definitions” on page 31.
•
Show or hide columns that contain information about SD-WAN alert definitions. See
“Sorting Objects” on page 223.
•
Search for alert definitions using keywords. Click the search icon. Enter partial text or
full text of the keyword in the search bar and press Enter. The search results are
displayed.
Field Descriptions
Table 16 on page 30 describes the fields on the SD-WAN Alert Definitions page.
Copyright © 2018, Juniper Networks, Inc.
29
Contrail Service Orchestration User Guide
Table 16: Fields on the SD-WAN Alert Definitions Page
Field
Description
Rule Priority
View the priority of the alert definition. A value of one (1) indicates highest
priority.
Alert Description
View the description of the alert.
Filter
View the matching severity criterion to trigger the alert.
Action
View the action to be performed to resolve issues.
Context
View the additional configuration parameters that you can pass on to the rule
action function.
Related
Documentation
•
Creating SD-WAN Alert Definitions on page 30.
•
Editing and Deleting SD-WAN Alert Definitions on page 31.
Creating SD-WAN Alert Definitions
You can use the Create SD-WAN Alert Definition page to create an alert definition for
SD-WAN that consists of data criteria for triggering alerts about issues in the SD-WAN
environment. In the alert definition, you can also define the necessary action that is
required to resolve issues based on the severity of the alert.
To create an SD-WAN alert definition:
1.
Click the add icon (+) on the Monitor > Alarms & Alerts > SD-WAN Alert Definitions
page in Administration Portal.
The Create SD-WAN Alert Definition page appears.
2. Enter the alert definition configuration according to the guidelines provided in
Table 17 on page 30.
3. Click OK to create the alert definition.
Alternatively, if you want to discard your changes, click Cancel instead.
Table 17 on page 30 describes the fields on the Create SD-WAN Alert Definition page.
Table 17: Fields on the Create SD-WAN Alert Definition Page
Field
Guidelines
Alert Name
Enter the name of the alert definition. Enter a unique string of alphanumeric characters and some special
characters (. -). No spaces are allowed, and the maximum length is 256 characters.
30
Copyright © 2018, Juniper Networks, Inc.
Chapter 6: Monitoring SD-WAN Alert Definitions
Table 17: Fields on the Create SD-WAN Alert Definition Page (continued)
Field
Guidelines
Alert
Description
Enter a description for the alert definition; maximum length is 512 characters.
Priority
Enter the priority for the alert definition. A value of 1 indicates highest priority.
Filter
Select the matching severity criteria to trigger an alert. You can match severity, alert type, or object types.
You can select one of the following options:
•
To match severity options, select Match Severity Critical, Match Severity Not Critical, Match Severity Major,
Match Severity Not Major, Match Severity Normal, Match Severity Not Normal, or Match Severity All.
The Match Severity Critical option is selected by default.
Action
•
To match alert types, such as alerts related to the device host or the application services on the host,
select Match Alert Type Service or Match Alert Type Host.
•
To match object types, such as a single uCPE device or a uCPE VNF, select Match Object Type UCPE DEVICE
or Match Object Type UCPE VNF respectively.
Select the action to be performed to resolve issues based on the severity of the alert. You can select one of
the following actions:
•
Alert Action Send to Rmq—Send the alert object to an external RabbitMQ broker. This option is selected
by default. If this option is selected, you can also enter additional RabbitMQ broker configuration parameters
in the Context field.
Context
•
Alert Action Discard—Discard the alert object.
•
Alert Action Resolve Uuids—Resolve UUIDs to a machine-readable format.
Enter a set of additional configuration parameters for the external RabbitMQ broker. The configuration
parameters include the RabbitMQ broker IP address, port number, the exchange name and type, and the
username and password. The parameters must be entered in JSON format. The additional parameters are
passed as arguments to the action function when the selected action is Alert Action Send to Rmq.
Example:
{
“broker_ip”: “192.0.2.0”,
“broker_port”: “5672”,
“exchange_name”: “external_alert_exchange”,
“exchange_type”: “topic”,
“user”: “user-name”,
“password”: “password”
}
Related
Documentation
•
About the SD-WAN Alert Definitions Page on page 29
•
Editing and Deleting SD-WAN Alert Definitions on page 31
Editing and Deleting SD-WAN Alert Definitions
You can edit and delete SD-WAN alert definitions from the SD-WAN Alert Definitions
page.
Copyright © 2018, Juniper Networks, Inc.
31
Contrail Service Orchestration User Guide
Editing an SD-WAN Alert Definition
To modify an SD-WAN alert definition:
1.
Select the check box for the alert definition that you want to modify, and click the edit
icon on the Monitor > Alarms & Alerts > SD-WAN Alert Definitions page in the
Administration Portal.
The Edit SD-WAN Alert Definition page appears.
2. Update the configuration as needed and according to the guidelines in “Creating
SD-WAN Alert Definitions” on page 30.
3. Click OK to save your changes.
The alert definition information that you updated appears on the SD-WAN Alert
Definitions page.
Alternatively, if you want to discard your changes, click Cancel instead.
Deleting SD-WAN Alert Definitions
If the alert definition is no longer needed, then you can delete the alert definition. To
delete an SD-WAN alert definition:
1.
Select one or more alert definitions that you want to delete and click the delete icon
(X) on the Monitor > Alarms & Alerts > SD-WAN Alert Definitions page in the
Administration Portal.
A page requesting confirmation for the deletion appears.
2. Click Yes to confirm that you want to delete the alert definition.
The alert definition is deleted.
Alternatively, if you want to cancel the delete operation, click No instead.
Related
Documentation
32
•
About the SD-WAN Alert Definitions Page on page 29
•
Creating SD-WAN Alert Definitions on page 30
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 7
Monitoring Device Events
•
About the Device Events Page on page 33
About the Device Events Page
To access this page, click Monitor > Device Events.
Use the Device Events page to view information about device events such as routine
operations, failure and error conditions, and emergency or critical conditions.
You can view comprehensive details of device events in a tabular format that includes
sortable columns and a line graph (also known as swim lanes). The data presented in
the line graph is refreshed automatically based on the selected time range. The line graph
shows light blue areas that represent all device events and dark blue areas represent
blocked device events
Tasks You Can Perform
You can perform the following tasks from this page:
•
Click Custom button to select the date and time range to generate the device event.
•
Show or hide time range in the carousel by clicking show or hide buttons at the top of
the page.
Advanced Search
You can perform advanced search of all events using the text field present above the
tabular column. It includes the logical operators as part of the filter string. Enter the
search string in the text field and based on your input, a list of items from the filter context
menu is displayed. . You can select a value from the list and then select a valid logical
operator to perform the advanced search operationPress Enter to display the search
result in the tabular column below.
To delete the search string in the text field, click the delete icon (X icon)..
Examples of event log filters are shown in the following list:
Copyright © 2018, Juniper Networks, Inc.
33
Contrail Service Orchestration User Guide
•
Specific events originating from or landing within United States
Source Country = United States OR Destination Country = United States AND Event
Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS,
IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT,
IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT,
AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT,
ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL,
FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL,
FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL,
FWAUTH_TELNET_USER_AUTH_FAIL_LS,
FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS
•
User wants to filter all RT flow sessions originating from IPs in specific countries and
landing on IPs in specific countries
Event Name = RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE AND Source
IP = 177.1.1.1,220.194.0.150,14.1.1.2,196.194.56.4 AND Destination IP =
255.255.255.255,10.207.99.75,10.207.99.72,223.165.27.13 AND Source Country =
Brazil,United States,China,Russia,Algeria AND Destination Country =
Germany,India,United States
•
Traffic between zone pairs for policy – IDP2
Source Zone = trust AND Destination Zone = untrust, internal AND Policy Name = IDP2
•
UTM logs coming from specific source country, destination country, source IPs with or
without specific destination IPs
Event Category = antispam, antivirus, contentfilter, webfilter AND Source Country =
Australia AND Destination Country = Turkey, United States, Australia AND Source IP
= 1.0.0.0,1.1.1.3 OR Destination IP = 74.125.224.47,5.56.17.61
•
Events with specific sources IPs or events hitting HTP, FTP, HTTP, and unknown
applications coming from host DC-SRX1400-1 or VSRX-75.
Application = tftp, ftp, http, unknonw OR Source IP = 192.168.34.10,192.168.1.26 AND
Hostname = dc-srx1400-1,vsrx-75
Field Descriptions
Table 18 on page 34 provides guidelines on using the fields on the Device Events page.
Table 18: Fields on the Device Events Detailed View Page
Field
Description
Time
View the time when the log was received.
Event Name
View the event name of the log.
Tenant
View the name of the tenant.
Site
View the name of the tenant site.
34
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: Monitoring Device Events
Table 18: Fields on the Device Events Detailed View Page (continued)
Field
Description
Source Country
View the name of source country from where the event originated.
Source IP
View the source IP address from where the event occurred.
Destination Country
View the name of destination country from where the event occurred.
Destination IP
View the destination IP address of the event.
Source Port
View the source port of the device event.
Destination Port
View the destination port of the device event.
Description
View the description of the log.
Attack Name
View the attack name of the log. For example, Trojan, worm, virus, and so on.
Threat Severity
View the severity level of the threat.
Policy Name
View the policy name in the log.
UTM Category or Virus Name
View the UTM category of the log.
URL
View the accessed URL name that triggered the event.
Event Category
View the event category of the log.
User Name
View the username of the log.
Argument
View the type of traffic. For example, ftp and http.
Action
View the action taken for the event. For example, warning, allow, or block.
Log Source
View the IP address of the log source.
Application
View the application name from which the events or logs are generated.
Hostname
View the host name in the log.
Service Name
View the name of the application service. For example, FTP, HTTP, SSH, and so
on.
Nested Application
View the nested application in the log.
Source Zone
View the source zone of the log.
Destination Zone
View the destination zone of the log.
Copyright © 2018, Juniper Networks, Inc.
35
Contrail Service Orchestration User Guide
Table 18: Fields on the Device Events Detailed View Page (continued)
Field
Description
Protocol ID
View the protocol ID in the log.
Roles
View the role name associated with the log.
Reason
View the reason for the log generation. For example, a connection tear down may
have an associated reason such as authentication failed.
NAT Source Port
View the translated source port.
NAT Destination Port
View the translated destination port.
NAT Source Rule Name
View the NAT source rule name.
NAT Destination Rule Name
View the NAT destination rule name.
NAT Source IP
View the translated (or natted) source IP address. It can contain IPv4 or IPv6
addresses.
NAT Destination IP
View the translated (also called natted) destination IP address.
Traffic Session ID
View the traffic session ID of the log.
Path Name
View the path name of the log.
Logical System Name
View the name of the logical system.
Rule Name
View the name of the rule.
Profile Name
The name of the profile that triggered the event.
Event Count
View the number of events occurred.
Tenant
View the name of the tenant from which the event originated.
36
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 8
Monitoring Tenants SLA Performance
•
About the SLA Performance of All Tenants Page on page 37
•
About the SLA Performance of a Single Tenant Page on page 39
•
Viewing the SLA Performance of a Site on page 41
•
Viewing the SLA Performance of an Application or Application Group on page 46
About the SLA Performance of All Tenants Page
To access this page, select Monitor > Tenants SLA Performance in the Administration
Portal.
You can use the Tenants SLA Performance page to view the SLA performance of all
tenants. You can view the SLA performance of all tenants that have met and all tenants
that have not met the defined SLA target values for the specified time range. You can
customize your view by selecting card or grid views and also customize the time range
for which you can view the SLA performance.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View the SLA performance of all tenants that have met the defined SLA target values
for the specified time range.
•
View the SLA performance of all tenants that have not met the defined SLA target
values for the specified time range.
•
You can view the SLA performance of all tenants in grid or card views.
Select card view or grid view at the top right of the page to switch between views. By
default, card view is selected.
•
You can customize the time range to view the SLA performance of all tenants.
Select the time range for which you want to view SLA performance. You can choose
from Previous 1 hour, Previous 1 day, Previous 1 week, Previous 1 month, and Custom.
For custom time, you must enter from and to dates in MM/DD/YYYY format and the
time in HH:MM:SS format. By default, Previous 1 day is selected.
Copyright © 2018, Juniper Networks, Inc.
37
Contrail Service Orchestration User Guide
Field Descriptions
Table 19 on page 38 describes the fields on the Tenants SLA Performance page.
Table 19: Fields on the Tenants SLA Performance Page
Field
Description
Time range
Select the time range for which you want to view the SLA performance. You can choose from Previous
1 hour, Previous 1 day, Previous 1 week, Previous 1 month, and Custom. For custom time, you must
enter from and to dates in MM/DD/YYYY format and the time in HH:MM:SS format. By default,
Previous 1 day is selected.
View
Select the view in which you want to display the SLA performance. You can choose between card
and grid views. By default, card view is selected.
Tenants Not Meeting
SLAs
View the tenants that did not meet the defined SLA target values in the selected time range.
Click each tenant to view information about the SLA performance of the sites in the tenant. See
“About the SLA Performance of a Single Tenant Page” on page 39.
Tenants Meeting SLAs
View the tenants that met the defined SLA target values in the selected time range.
Click each tenant to view information about the SLA performance of the sites in the tenant. See
“About the SLA Performance of a Single Tenant Page” on page 39.
Table 20 on page 38 describes the fields in the card and grid views.
Table 20: Fields on the Tenants SLA Performance Page
Field
View
Description
SLA not met (Time)
Card and Grid
View the average time (in %) during which all the sites
in a tenant did not meet the defined SLA target values.
The average time is calculated by dividing the sum of the
time each site in a tenant did not meet SLA target values
by the total number of sites.
Profiles
Card
Profile SLA Not Met
Grid
View the time (in %) during which defined SLA target
values were not met for each SLA profile. The top two
profiles are listed in decreasing order of percentage of
time during which SLA target values were not met. The
remaining profiles and their combined sum of time (in %)
for which SLA target values were not met are listed under
Others. The SLA profile priority is indicated within the
circle. You can define priority of the SLA profile when you
create an SLA profile.
Hover over the profile priority to view the SLA profile
name.
Sites
Card and Grid
View the number of sites which did not meet SLA target
values over the total number of sites in the tenant.
If all sites met SLA target values all the time, then view
the total number of sites in the tenant.
38
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: Monitoring Tenants SLA Performance
Related
Documentation
•
About the SLA Performance of a Single Tenant Page on page 39
•
Viewing the SLA Performance of a Site on page 41
•
Viewing the SLA Performance of an Application or Application Group on page 46
•
Creating SLA Profiles on page 161
About the SLA Performance of a Single Tenant Page
To access this page, select Monitor > Tenants SLA Performance > Tenant-Name SLA
Performance in the Administration Portal.
You can use the Tenant-Name SLA Performance page to view SLA performance of all
sites in a tenant. You can view the SLA performance of all sites that have met and all
sites that have not met the defined SLA target values for the specified time range. You
can customize your view and also the time range for which you want to view the SLA
performance.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View the SLA performance for all sites in the tenant that have met the defined SLA
target values, without switching WAN links, for the specified time range.
•
View the SLA performance for all sites in the tenant that have met the defined SLA
target values, after switching WAN links, for the specified time range.
•
View the SLA performance for all sites in a tenant that have not met the defined SLA
target values for the specified time range.
•
View the SLA performance for all sites in a tenant in grid or card views.
Select card view or grid view at the top right of the page. By default, card view is
selected.
•
Customize the time range to view the SLA performance for all sites in a tenant.
Select the time range for which you want to view SLA performance. You can choose
from Previous 1 hour, Previous 1 day, Previous 1 week, Previous 1 month, and Custom.
For custom time, you must enter from and to dates in MM/DD/YYYY format and the
time in HH:MM:SS format. By default, Previous 1 day is selected.
Field Descriptions
Table 21 on page 40 describes the fields on the SLA Performance of a Single Tenant page.
Copyright © 2018, Juniper Networks, Inc.
39
Contrail Service Orchestration User Guide
Table 21: Fields on the SLA Performance of a Single Tenant Page
Field
Description
Time range
Select the time range for which you want to view the SLA performance.
You can choose from Previous 1 hour, Previous 1 day, Previous 1 week,
Previous 1 month, and Custom. For custom time, you must enter from and
to dates in MM/DD/YYYY format and the time in HH:MM:SS format. By
default, Previous 1 day is selected.
View
Select the view in which you want to display the SLA performance for all
sites in the tenant. You can choose between card and grid views. By default,
card view is selected.
Sites Not Meeting SLAs
View the sites that did not meet the defined SLA target values in the
selected time range.
Click each site to view more information about the SLA performance of
the applications and application groups in the site. See “Viewing the SLA
Performance of a Site” on page 41.
Sites Meeting SLAs With Switch
View the sites that switched WAN links to meet the defined SLA target
values in the selected time range.
Click each site to view more information about the SLA performance of
the applications and application groups in the site. See “Viewing the SLA
Performance of a Site” on page 41.
Sites Meeting SLAs Without Switch
View the sites that met the defined SLA target values in the selected time
range without switching WAN links.
Click each site to view more information about the SLA performance of
the applications and application groups in the site. See “Viewing the SLA
Performance of a Site” on page 41.
Table 22 on page 40 describes the fields in the card and grid views.
Table 22: Fields on the SLA Performance of a Single Tenant Page in Card and Grid Views
Field
View
Description
Name
Card and Grid
View the name of the site.
SLA not met (Time)
Card and Grid
View the average time (in %) during
which all the sites in a tenant did not
meet the defined SLA target values.
40
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: Monitoring Tenants SLA Performance
Table 22: Fields on the SLA Performance of a Single Tenant Page in Card and Grid
Views (continued)
Profiles
Card
Profile SLA Not Met
Grid
View the time (in %) during which
defined SLA target values were not met
for each SLA profile. The top two
profiles with highest priority and the
percentage of time during which SLA
target values were not met are listed.
The remaining profiles and their
combined sum of time (in %) for which
SLA target values were not met are
listed under Others. The SLA profile
priority is indicated within the circle. You
can define priority of the SLA profile
when you create an SLA profile.
Hover over the profile priority to view
the SLA profile name.
App - Groups
Card and Grid
View the total number of applications
and application groups in the site.
Switch Events
Card and Grid
View the number of times the site
switched WAN links over the number of
designated WAN links. A switch event,
also called SD-WAN event, occurs when
a site switches WAN links to meet the
SLA requirements.
Switch Events Per Profile
Card and Grid
View the number of times the site
switched WAN links for each profile. You
can view the switch events for the top
two SLA profiles in the decreasing order
of switch events for each profile.
Related
Documentation
•
About the SLA Performance of All Tenants Page on page 37
•
Viewing the SLA Performance of a Site on page 41
•
Viewing the SLA Performance of an Application or Application Group on page 46
•
Creating SLA Profiles on page 161
Viewing the SLA Performance of a Site
You can use the Monitor > Tenant-Name SLA Performance > Site-Name SLA Performance
page in the Administration Portal to view SLA performance for all applications and
application groups in a site. You can view the SLA performance for all applications and
application groups in a site for a specified time range and in graph or grid views.
Copyright © 2018, Juniper Networks, Inc.
41
Contrail Service Orchestration User Guide
The Site-Name SLA Performance page is divided into the following three sections:
•
SLA Not Met by SLA Profiles on page 42
•
Applications SLA Performance by Throughput on page 43
•
SLA Performance for ALL on page 45
SLA Not Met by SLA Profiles
You can use the SLA Not Met by SLA Profiles section on the Site_name SLA Performance
page to view the SLA profiles for which SLA requirements were not met and the time at
which they were not met. The y-axis represents the SLA profiles and the x-axis represents
the specified time range. The SLA Not Met by SLA Profiles section can be viewed and
remains the same in both graph and grid views.
To view a graphical representation of SLA profiles for which SLA target values were not
met:
1.
Select the time range for which you want to view the SLA profiles for which SLA target
values were not met. You can choose from Previous 1 hour, Previous 1 day, Previous 1
week, Previous 1 month, and Custom. For custom time, you must enter from and to
dates in MM/DD/YYYY format and the time in HH:MM:SS format. By default, Previous
1 day is selected.
The graphical representation of SLA profiles for which SLA target values were not
met is displayed for the selected time range.
2. (Optional) You can use the sliders at the sides of the graph to further customize the
time range.
The graphical representation of SLA profiles for which SLA target values were not
met is refreshed and displayed for the customized time range. The graphical
representation of SLA performance data in the subsequent sections on the page is
also refreshed and displayed for the customized time range.
42
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: Monitoring Tenants SLA Performance
Applications SLA Performance by Throughput
You can view average throughput performance of all applications and application groups
in a site. You can also customize your view by selecting graph view or grid view. In the
graph view, you can further select scatter plot or tree map views.
To view a graphical representation of average throughput performance of all applications
and application groups in a site:
1.
Select Graph View at the top right of the page. By default, Graph View is selected.
A graphical representation of average throughput performance of all applications and
application groups in a site against the target throughput is displayed in the Scatter
Plot view. The y-axis represents the average throughput. 0% on the x-axis represents
the target throughput (in %) defined in the SLA profiles, while the regions on the left
and right of the target represent percentages below and above the target throughput,
respectively.
A carousel at the bottom of the section also displays the list of all applications and
application groups with their SLA profiles, target throughput, and average throughput
values.
2. Click Legend at the bottom right of the section to view the plotting legend.
The items described in the Legend are:
•
A single application is represented by a blue circle.
•
An application group is represented by a blue square.
•
An application or application group whose target throughput value in the SLA profile
was modified during runtime is represented by an uncolored circle or uncolored
square, respectively.
•
The SLA profiles are represented by their priority numbers within the colored or
uncolored circles and squares.
3. (Optional) You can use the sliders at the sides of the graph further to customize the
time range.
The carousel is refreshed for the customized time range.
4. Click the circles or squares to view more information about the application or
application groups. See “Viewing the SLA Performance of an Application or Application
Group” on page 46.
Copyright © 2018, Juniper Networks, Inc.
43
Contrail Service Orchestration User Guide
NOTE: You can also select Tree Map at the top right of the section to view a
list of all applications and application groups in a site and their average
throughput values.
A list of all applications and application groups in a site along with their
associated SLA profiles and the average throughput values is displayed.
To view a tabular representation of average throughput performance of all applications
and application groups in a site:
1.
Select Grid View at the top right of the page.
A list of all applications and application groups along with their SLA profiles, average
throughput, and target throughput values is displayed in a tabular format.
Table 23 on page 44 describes the fields on the Applications SLA Performance by
Throughput grid view.
Table 23: Fields on the Applications SLA Performance by Throughput Grid View
Field
Description
Name
View name of the application or application group.
SLA Profile
View the SLA profile associated with the application or application group.
Type
View the type—application or application group
Category
View the category of the application or application group. The value of category can be
Messaging, Web, Infrastructure, Remote-Access, Multimedia, Video, and so on.
Sessions
View the number of sessions consumed by the application or application group.
Throughput Avg. Performance
View the average throughput performance value (in %) of the application or application
group. The upward triangle on the left of the average throughput performance value indicates
that the average throughput is higher than the target throughput configured in the SLA profile
of the application or application group. The value (in %) denotes the percentage above the
target throughput value. Similarly, the downward triangle on the left of the average throughput
performance value indicates that the average throughput is lower than the target throughput
configured in the SLA profile of the application or application group. The value (in %) denotes
the percentage below the target throughput value.
2. (Optional) Click the details icon to the left of the application or application group
name to view more details about the application or application group. See “Viewing
the SLA Performance of an Application or Application Group” on page 46.
44
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: Monitoring Tenants SLA Performance
SLA Performance for ALL
View a graphical representation of the performance of the SLA parameters such as
round-trip time (RTT), latency, packet loss, and jitter for the specified time range for
MPLS and Internet WAN links for all SLA profiles. The y-axis represents the SLA
parameters and the x-axis represents the specified time range. You can also view the
respective target SLA parameters in the graphs.
NOTE: The graphical representation of the performance of all SLA parameters
for the WAN links is available only in the graph view.
To view a graphical representation of the performance of all SLA parameters for the
WAN links:
•
Select All at the top right of the section. By default, All is selected.
A graphical representation of the performance of the SLA parameters such as RTT,
latency, packet loss, and jitter for the specified time range for all WAN links is displayed.
•
Select wan_0, wan_1, and so on at the top right of the section to view the performance
of the SLA parameters for the MPLS and Internet WAN links. You can enable and
configure wan_0, wan_1, and so on and map them to MPLS or Internet links when you
create a site.
The graphical representation of the performance of the SLA parameters such as RTT,
latency, packet loss, and jitter for the specified time range is refreshed and only the
performance for the selected WAN link is displayed.
•
(Optional) Click Legend at the bottom right of the section to view the plotting legend
for the horizontal dotted lines parallel to the x-axis in the graphs. The horizontal dotted
lines represent the respective target SLA parameters of the SLA profiles.
NOTE: RTT is represented as Delay on the “Application SLA Profiles” on
page 160 page.
Related
Documentation
•
About the SLA Performance of All Tenants Page on page 37
•
About the SLA Performance of a Single Tenant Page on page 39
•
Viewing the SLA Performance of an Application or Application Group on page 46
Copyright © 2018, Juniper Networks, Inc.
45
Contrail Service Orchestration User Guide
Viewing the SLA Performance of an Application or Application Group
You can use the Monitor > Tenant-Name SLA Performance > Site-Name SLA Performance
page in the Administration Portal to view the SLA performance of individual applications
and application groups in a site. You can also view the SLA performance of the associated
SLA profile for all SLA parameters.
To view SLA performance of an application or application groups:
•
Click one of the circles or squares in the Applications SLA Performance by Throughput
section on the Site-Name SLA Performance page.
The page that appears displays SLA performance details of the application or
application group.
Table 24 on page 46 describes the fields on the application or application group SLA
Performance details page.
Table 24: Fields on the Application or Application Group Details Page
Field
Description
Category and Description
View the category of the application or application group. The category can be Messaging,
Web, Infrastructure, Remote-Access, Multimedia, Video, and so on.
You can also view a description of the application or application group.
SLA
View the name of the SLA profile associated with the application or application group.
Target
View the current target throughput defined in the SLA profile associated with the application
or application group. If the target throughput was modified during runtime, the date and time
when the throughput was modified and the previously defined throughput value are also
displayed.
Avg. Performance
View the average throughout performance (in %) above or below the configured target
throughput. The average throughput (in Mbps) is displayed within parentheses.
SLA Metrics by Throughput
View a graphical representation of the SLA metrics by throughput during the specified time
range for that application or application group. The y-axis represents the throughput (in Mbps).
The x-axis represents the specified time range. Hover over the graph to view the throughput
value and time at any specified point. You can also view the sessions consumed by the WAN
links for the application or application group for the specified time range.
46
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: Monitoring Tenants SLA Performance
Table 24: Fields on the Application or Application Group Details Page (continued)
Field
Description
Global SLA Profile
Performance
View the performance for all the SLA parameters of the SLA profile associated with the
application or application group. The SLA performance is represented by a color-coded donut
chart. The section in blue in the donut chart indicates the percentage of time during which SLA
requirements for the SLA profile were met. The section in red in the donut chart indicates the
percentage of time during which SLA requirements for the SLA profile were not met.
Click the red colored section of the donut chart to view more information about when SLA
requirements for the SLA profile were not met. The SLA Profile Performance page appears.
The SLA Profile Performance page displays the following fields:
Related
Documentation
•
SLA Profile—SLA profile associated with the application or application group
•
Target—Target throughput configured in the SLA profile
•
SLAs Not Met—Percentage of time SLA requirements were not met for the SLA profile
•
Sessions—Number of sessions consumed by the application or application group
•
Start Time—Time at which the WAN links associated with the application or application
groups started to fail meeting the SLA requirements
•
End Time—Time at which SLA profile requirements started to be met again
•
Avg Val—Average throughput (in Mbps) when the SLA requirements started to fail
•
Duration—Total duration (in seconds) during which SLA requirements were not met
•
From—Source WAN link
•
To—Destination WAN link
•
About the SLA Performance of All Tenants Page on page 37
•
About the SLA Performance of a Single Tenant Page on page 39
•
Viewing the SLA Performance of a Site on page 41
Copyright © 2018, Juniper Networks, Inc.
47
Contrail Service Orchestration User Guide
48
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 9
Monitoring Jobs
•
About the Jobs Page on page 49
•
Viewing Job Details on page 51
•
Editing and Deleting Scheduled Jobs on page 51
•
Retrying a Failed Job on Devices on page 52
About the Jobs Page
To access this page, click Monitor > Jobs.
Use this page to view the list of all jobs and the jobs that are scheduled to be executed.
You can view general information about the jobs and the overall progress and status of
the jobs. You can also edit and delete scheduled jobs.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a job. See “Viewing Job Details” on page 51.
•
Retry a job. See “Retrying a Failed Job on Devices” on page 52.
•
Edit and delete schedule jobs. See “Editing and Deleting Scheduled Jobs” on page 51.
Field Descriptions
Table 25 on page 49 provides guidelines on using the fields on the Jobs page.
Table 25: Fields on the Jobs Page
Field
Description
Job Name
View the name of the job.
Example: MSEC_DOWNLOAD_IPS/APPLICATION_SIGNATURES_08_Jul_17_124229_024
Resource Name
View the resource name of the job.
Example: Download IPS/Application Signatures
Copyright © 2018, Juniper Networks, Inc.
49
Contrail Service Orchestration User Guide
Table 25: Fields on the Jobs Page (continued)
Field
Description
Status
View the status of the job to know whether the job succeeded or failed.
Example: Success
Owner
View the name of the owner who created the job.
Example: cspadmin
Number of Tasks
View the number of tasks associated with the job.
Example: 2
For example, the tasks site.ucpe-32 and customer.sdwan are associated with this job.
Job Type
View the job type.
Example: tssm import pop
Start Date
View the start date and time of a task associated with the job.
End State
View the end date and time of a task associated with the job.
Field Descriptions
Table 26 on page 50 provides guidelines on using the fields on the Scheduled Jobs page.
Table 26: Fields on the Scheduled Jobs Page
Field
Description
Schedule ID
View the unique ID of the scheduled job. The value is generated by the database when a new
schedule record is inserted into the database.
Example: 48
Name
View the unique name of the scheduled job.
Example: Tenant Delete_csp.tssm_remove_site_e340354716ae43859fad5ba15669eee2
Status
View the status of the last triggered job. The following state are available: scheduled, In progress,
complete, or failed.
The default status is scheduled.
Job Type
View the job type.
Example: tssm onboard tenant
Owner
View the name of the owner who scheduled the job.
Example: cspadmin
50
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Monitoring Jobs
Table 26: Fields on the Scheduled Jobs Page (continued)
Field
Description
Next Run Time
View the time when the job is scheduled to run next.
Related
Documentation
•
Editing and Deleting Scheduled Jobs on page 51
•
Retrying a Failed Job on Devices on page 52
Viewing Job Details
You can use the Detailed View page to view all the parameters of a job.
To view details of a job:
•
Right-click the job name that you want to see the detailed view for and select Detail
View, or select the job and click More > Detail View.
•
Alternatively, hover over the job name and click the Detailed View icon that appears
before it.
The Detailed View page appears, showing the details of the job and the number of tasks
associated with the job. See the relevant topic “About the Jobs Page” on page 279 for a
description of the fields on these pages.
Related
Documentation
•
About the Jobs Page on page 49
Editing and Deleting Scheduled Jobs
You can edit and delete scheduled jobs. This topic contains the following sections:
•
Editing Scheduled Jobs on page 51
•
Deleting Scheduled Jobs on page 52
Editing Scheduled Jobs
You can modify the date and time of deployment of scheduled jobs.
To modify a scheduled job:
1.
Select Monitor > Jobs > Scheduled Jobs.
The Scheduled Jobs page appears.
2. Select the job that you want to reschedule the deployment, and click the edit icon.
The Edit Schedule page appears.
Copyright © 2018, Juniper Networks, Inc.
51
Contrail Service Orchestration User Guide
3. To execute the job immediately, delete the existing scheduled entry, create a new
entry, and then select the Run now option. To reschedule the job for a later date and
time, or select the Schedule at a later time option.
4. Click Save to save the changes.
The modified job and its details are displayed on a page
Deleting Scheduled Jobs
You can delete one or more scheduled jobs.
To delete a scheduled job:
1.
Select Monitor > Jobs> Scheduled Jobs.
The Scheduled Jobs page appears with a list of jobs.
2. Select the check box of the job that you want to delete and then click the delete icon
(X).
The Confirm Delete page appears.
3. Click Yes to confirm.
The scheduled job is deleted.
Related
Documentation
•
About the Jobs Page on page 49
•
Viewing Job Details on page 51
Retrying a Failed Job on Devices
You can retry tssm.ztp type jobs that did not complete successfully on your devices.
Retrying a failed job saves time because instead of creating the job again and executing
it, you can simply retry the failed job.
NOTE: The Retry Job button is enabled only for failed ZTP jobs.
To retry a job that was not successful:
1.
Select Monitor > Jobs.
The Jobs page appears.
2. Select the failed job (tssm.ztp type) that you want to retry.
3. At the top right corner of the Jobs page, click the Retry Job button.
52
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Monitoring Jobs
The job is executed in the back end and the device status on the Sites page is changed
to PROVISIONED.
Related
Documentation
•
About the Jobs Page on page 49
•
Editing and Deleting Scheduled Jobs on page 51
Copyright © 2018, Juniper Networks, Inc.
53
Contrail Service Orchestration User Guide
54
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 10
Managing POPs
•
About the POPs Page on page 55
•
Creating a Single POP on page 57
•
Importing Data for Multiple POPs on page 68
•
Viewing the History of POP Data Imports on page 73
•
Viewing the History of POP Data Deletions on page 74
•
Managing a Single POP on page 76
•
About the VIMs Page on page 76
•
Creating a Cloud VIM on page 78
•
About the EMS Page on page 82
•
Creating an EMS on page 83
•
Changing the Junos Space Virtual Appliance Password on page 85
•
About the Routers Page on page 85
•
Creating Devices on page 87
•
Configuring Devices on page 89
•
Adding a Hub Device on page 92
•
View the History of Device Data Deletions on page 94
About the POPs Page
To access this page, click Resources > POPs.
You can use the POPs page to view the list of available POPs in the service provider
network. You can also view information about each POP in the network.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Quickly view important data about POPs in the widgets that appear at the top of the
page. See Table 27 on page 56.
•
Create a POP. See “Creating a Single POP” on page 57.
•
Import data for multiple POPs. See “Importing Data for Multiple POPs” on page 68.
Copyright © 2018, Juniper Networks, Inc.
55
Contrail Service Orchestration User Guide
•
View the history of POP data imports. See “Viewing the History of POP Data Imports”
on page 73.
•
View the history of POP data deletions. See “Viewing the History of POP Data Deletions”
on page 74.
•
View details about a POP. Hover over the name of a POP or click More > Quick View.
See “Viewing Object Details” on page 14.
•
Show or hide columns about the POPs. See “Sorting Objects” on page 15.
•
Search an object about the POPs. See “Searching for Text in an Object Data Table”
on page 15.
•
Delete a POP. See “Deleting Objects” on page 14.
Field Descriptions
Table 27 on page 56 describes the widgets on the POPs page.
Table 27: Widgets on the POPs Page
Widget
Description
Top POPs by CPU Allocation
View the top three POPs using the largest percentage of CPU from the
assigned cores.
Click a POP name to view detailed information about the resources the
POP uses.
Top POPs by Storage Allocation
View the top three POPs using the most storage from the allocated storage
space in gigabytes (GB).
Click a POP name to view detailed information about the resources the
POP uses.
Top POPs by Memory Allocation
View the top three POPs using the most memory from the allocated
memory size in megabytes (MB).
Click a POP name to view detailed information about the resources the
POP uses.
Table 28 on page 56 shows the fields on the POPs page.
Table 28: Fields on the POPs Page
Field
Description
Name
View the name of the POP.
Example: regional
Location
View the location of the POP.
Example: Sunnyvale, CA
CPU Allocated
56
View the amount of CPU allocated for the POP.
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 28: Fields on the POPs Page (continued)
Field
Description
Memory Allocated
View the amount of memory allocated for the POP.
Storage Allocated
View the amount of storage allocated for the POP.
VIMs
View the number of VIMs provisioned in the POP.
•
0—Either a distributed deployment or a centralized deployment for which you have
not yet configured a VIM.
1—Centralized deployment
Example: 1
EMS
View the number of EMS applications provisioned in the POP.
Example: 2
Routers
View the number of routers provisioned in the POP.
Example: 1
Tenants
View the list of tenants in the POP.
Example: Softbank, ATT, and Juniper
Sites
View the number of tenant sites in the POP.
Example: 4
Related
Documentation
•
Creating a Single POP on page 57
•
About the VIMs Page on page 76
•
About the EMS Page on page 82
•
About the Routers Page on page 85
Creating a Single POP
You can use the POPs page to create a network point of presence (POP) and its
associated resources, such as a provider edge device for the POP, a virtualized
infrastructure manager (VIM), a container for a management network for the VIM, and
an element management system (EMS).
Creating a single POP involves adding several types of objects, depending on whether
the POP is for a centralized or distributed deployment. The sections in this topic describe
how to add each type of object to a POP in Administration Portal. You must finish the
Copyright © 2018, Juniper Networks, Inc.
57
Contrail Service Orchestration User Guide
steps in each section to create the objects that you need for a single POP and to save
the POP successfully. This topic includes the following sections:
•
Adding Information About the POP on page 58
•
Adding a Device on page 59
•
Adding a VIM on page 62
•
Adding an EMS on page 65
•
Reviewing and Saving the POP Configuration Settings on page 67
Adding Information About the POP
To create a a single POP and to add basic information to the POP:
1.
Click Resources > POPs.
The POPs page appears.
2. Click the plus icon(+) .
The Add POP page appears.
3. Complete the configuration settings according to the guidelines provided in
Table 29 on page 58.
4. Click Next and proceed to "Adding a Device".
The Add Device table appears.
Table 29: Fields on the Add POP page
Field
Description
Region
Select the name of the region for this POP.
Example: regional
NOTE: The administrator must not delete the region name.
POP Name
Specify the name of the POP. You can use an unlimited number of alphanumeric characters,
including special characters.
Example: north-east.
Street Address
Specify the street address. You can use an unlimited number of alphanumeric characters, including
special characters.
Example: 1133 Innovation Way
City
Specify the name of the city. You can use an unlimited number of alphanumeric characters,
including special characters.
Example: Sunnyvale
58
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 29: Fields on the Add POP page (continued)
Field
Description
State/Province
Specify the name of the state. You can use an unlimited number of alphanumeric characters,
including special characters.
Example: California
ZIP/Postal Code
Specify the zip code or postal code for the country. You can use an unlimited number of
alphanumeric characters, including special characters.
Example: 94089
Country
Select the name of the country.
Example: USA
Adding a Device
You can add the following devices to a POP:
•
A router that acts as an SDN gateway and provides a Layer 3 routing service to customer
sites for a centralized deployment.
•
A router that acts as a provider edge (PE) router and an IPsec concentrator for a
distributed deployment.
To add a device:
1.
Click Resources > POPs > + .
The Add POP page appears.
2. Complete the configuration settings according to the guidelines provided in
Table 29 on page 58.
3. Click Next.
The Device section appears.
4. Click the plus icon (+) in the Add Device section.
The Add Device page appears.
5. Complete the configuration according to the guidelines in Table 30 on page 60.
6. Click Save.
7. Proceed as follows:
•
For a centralized deployment, click Next and proceed to "Adding a VIM”.
Copyright © 2018, Juniper Networks, Inc.
59
Contrail Service Orchestration User Guide
•
For a distributed deployment, click 5 (Summary) and proceed to “Reviewing and
Saving the POP Configuration Settings” on page 67.
Table 30: Fields on the Add Device Page
Field
Description
Name
Specify the name of the device, such as a data center gateway, a PE router, or an IPsec
concentrator. Some device examples are listed below.
•
An MX Series router used as an SDN gateway in a centralized deployment.
•
An MX Series router used as a provider edge (PE) router in a distributed deployment.
•
An SRX Services Gateway router or a vSRX instance used as a CPE device in a distributed
deployment.
You can use letters, numbers, spaces, periods, dashes, underscores, commas, @, #, $, %, &, and
*. Maximum length is 255 characters.
Example: MX-router-10
Family
Select the product family for the device.
Example: MX
Device Template
60
Select the name of the device template for the device:
•
Juniper-MX-MIS—Customized device template for an MX Series router that prevents the creation
of black holes when an administrative user activates a service at a site. Select this option only
if you have been advised to do so by Juniper Networks.
•
SDN-GW-MX—Default template for MX Series router. Select this option for MX routers in
centralized and distributed deployments unless Juniper Networks advises use of the
Juniper-MX-MIS device template.
•
SRX_Basic_SDWAN_HUB—Device template for an SRX Services Gateway used as a CPE device
that offers basic SD-WAN functionality in a distributed deployment. Select this option only if
you have been advised to do so by Juniper Networks.
•
SRX_deployment_option_1—Device template for an SRX Services Gateway or a vSRX used as
a CPE device in a distributed deployment.
•
NFX_deployment_option_1—Device template for an NFX device in distributed deployment. This
template supports port-forwarding with Contrail Service Orchestration initiated connection.
•
SRX_Managed_Internet_CPE—Device template to manage an SRX Services Gateway devices
for a managed internet service.
•
NFX_Managed_Internet_CPE—Device template to manage an NFX device for a managed internet
service.
•
NFX_deployment_option_4—Device template for an NFX device in distributed deployment.
This template supports outbound SSH, which is the device initiated connection, with
port-forwarding capability.
•
vSRX-VNF-NFX—Device template for a vSRX VNF application on an NFX platform for a
distributed deployment.
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 30: Fields on the Add Device Page (continued)
Field
Description
Type of Device
Select the type of device:
•
PNE—Device is managed by the EMS.
Use this option for devices, such as data center gateway, in a centralized deployment, for an
SRX Services Gateway or a vSRX used as a CPE device in a distributed deployment, and for PE
routers in a distributed deployment that you want the EMS to manage.
•
PE/IPsec—Device is not managed by the EMS.
Use this option for devices, such as provider edge (PE) router or IPsec concentrator, in a
distributed deployment that you do not want the EMS to manage.
PNE package
If you specified that the device is a PNE for a centralized deployment, select the name of the
package that contains metadata and configuration instructions for the PNE:
•
SRX—Use with SRX Series device template.
•
Juniper-MX—Use with the SDN-GW-MX device template.
•
Juniper-MX-MIS—Customized device template with MX Series configuration that prevents the
creation of black holes when an administrative user activates a service at a site. Use with the
Juniper-MX-MIS device template.
You must specify the PNE package only for data center gateway device.
Do not use the SRX Series package for the MX router.
Management Type
Specify the management type for the PE device. The following options are available:
•
Managed—Select Managed if you use Contrail Service Orchestration to manage the device.
•
Unmanaged—Select Unmanaged if you use another application to manage the device.
Example: Unmanaged
Device IP
Specify the IPv4 address of the management interface for the device.
Example: 192.0.2.15
Internet Gateway
(optional)
If you specified that the device is a PE router or an IPsec concentrator for a distributed deployment,
then specify the IPv4 address of the Internet gateway. You can also specify a list of public IP
addresses of the Internet Key Exchange (IKE) gateways on this device.
Example: 192.0.2.20
User Name
Specify the username that you configured when you set up the device. You use this username to
log into the device. Providing login credentials gives Contrail Service Orchestration access to the
device.
Password
Specify the password that you configured when you set up the device. You use this password to
log into for the device. Providing login credentials gives Contrail Service Orchestration access to
the device.
Copyright © 2018, Juniper Networks, Inc.
61
Contrail Service Orchestration User Guide
Adding a VIM
For a centralized deployment, you must specify information about Contrail Cloud Platform,
which provides the VIM.
You must add a VIM for a centralized deployment. Do not add a VIM for a distributed
deployment.
To add a VIM:
1.
Click Resources > POPs > + .
The Add POP page appears.
2. Complete the configuration settings according to the guidelines provided in
Table 29 on page 58.
3. Click Next.
The Device section appears.
4. Click Next.
The VIM page appears.
5. In the Connection Information section, specify details for the Contrail Cloud Platform
that provides the VIM for this POP.
6. Complete the configuration according to the guidelines in Table 31 on page 63.
7. In the Network Information section, click the plus icon (+) to add each resource pool.
8. In the Network Information section, specify details for the management network in
Contrail.
You can either specify details for a management network that you already created in
Contrail or specify details for a new management network that Administration Portal
notifies Contrail to automatically create.
9. If this POP has a direct connection to the Internet, in the Internet Network section,
click the plus icon (+) icon to add information about the Internet network in Contrail.
10. Click Save.
11. Proceed as follows:
•
62
If you use virtualized network functions (VNFs) that require an EMS other than the
EMS microservice, click Next and proceed to "Adding an EMS".
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
•
If you do not need an additional EMS, click 5 (Summary) and proceed to “Reviewing
and Saving the POP Configuration Settings” on page 67.
Table 31: Fields on the Add Cloud VIM Page
Field
Guidelines
Name
Specify the name of the virtualized infrastructure manager (VIM) for a centralized deployment.
You can add multiple VIMs to a point of presence (POP). You can use letters, numbers, spaces,
periods, dashes, underscores, commas, @, #, $, %, &, and *. Maximum length is 255 characters.
Example: vcpe-vim
Type
View the VIM type. The default VIM type is cloud.
Example: Cloud
Connection Information
IP address
Specify the IPv4 address of the Contrail Controller node in the Contrail Cloud Platform that
provides the virtualized infrastructure manager (VIM). If you use a high availability (HA)
configuration for the Contrail Cloud Platform, specify the virtual IP address of the Contrail
Controller node.
Example: 10.102.28.36
Auth URL
Specify the authentication URL for the OpenStack Keystone.
Example: http://ip:5000/v3
User Name
Specify the OpenStack Keystone username that you configured.
Example: admin
Password
Specify the OpenStack Keystone password that you configured.
Example: contrail123
Domain
Specify the name of the OpenStack domain that you configured.
Example: default
Tenant
Specify the name of the OpenStack tenant that you configured.
Example: admin
Network Information
Resource Pools
Resource Pool Name
Specify a resource pool for each VIM. You can use an unlimited number of alphanumeric
characters, including special characters.
Example: north-east.
Copyright © 2018, Juniper Networks, Inc.
63
Contrail Service Orchestration User Guide
Table 31: Fields on the Add Cloud VIM Page (continued)
Field
Guidelines
Compute Zone
Specify the availability zone in Contrail OpenStack in which the virtual machines for network
services reside. The default availability zone is nova.
You can run the nova availability-zone-list command on the Contrail OpenStack to find the list
of available zones.
Example: nova
Does Management Network
Exists?
Management Network Name
Specify whether to use an existing virtual network in Contrail OpenStack or to create a new
one.
•
yes—Import the named virtual network from Contrail OpenStack.
•
no—Create a virtual network in Contrail OpenStack with the specified name.
Specify the name of the existing management network in Contrail or the new management
network that you want to create in Contrail.
Example: mgmt-net
Management Network
Information
Route Target
Specify one or more route targets for the existing management network in Contrail or the new
management network that you want to create in Contrail.
Example: 64512:10000.
Subnet
Specify one or more prefixes that define the subnets for the Contrail Compute nodes. You can
use an IPv4 address. Specify one or more IPv4 prefixes for the existing network in Contrail or
the new network that you want to create in Contrail.
Example: 192.0.2.0/24.
Internet Network Information
Network Name
Specify the name of the Internet network name.
Example: int-net
Does Exist
Route Target
Specify whether to use an existing virtual network in Contrail OpenStack or to create a new
one.
•
True—Import the named virtual network from Contrail OpenStack.
•
False—Create a virtual network in Contrail OpenStack with the specified name.
Select the route target for the internet network in Contrail.
Example: 64512:10000.
64
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 31: Fields on the Add Cloud VIM Page (continued)
Field
Guidelines
Subnet
Select the prefix that defines the subnet for the Contrail Compute nodes.
You can use an IPv4 address.
Example: 192.0.2.0/24.
Service Profile Information
Profile Name
Specify the name of the service profile in a VIM instance. Create one or more service profiles if
you use a dedicated OpenStack Keystone for Contrail Service Orchestration in a centralized
deployment. A service profile specifies the Contrail OpenStack tenant, domain, and login
credentials. After Contrail Service Orchestration authenticates a tenant (customer), it uses
the information in the service profile to provide access to Contrail OpenStack.
Example: vim-service-profile
Tenant Name
Specify the infra tenant for whom you want to assign the service profile.
Example:test-tenant
Domain Name
Specify the Infra domain name.
Example:Default
User Name
Specify the username of the tenant.
Example: admin
Password
Specify the password for the tenant user.
Example: password123
Default Service Profile
Specify the name of the default service profile if you use a dedicated OpenStack Keystone for
Contrail Service Orchestration. If you do not specify a service profile when you configure the
tenant, Contrail Service Orchestration uses the default profile to authenticate the tenant.
Example: default-service-profile
Adding an EMS
Configure an element management system (EMS) if you use virtualized network functions
(VNFs) that require an EMS other than the EMS microservice.
To add an EMS:
1.
Click Resources > POPs > + .
The Add POP page appears.
2. Complete the configuration settings according to the guidelines provided in
Table 29 on page 58.
Copyright © 2018, Juniper Networks, Inc.
65
Contrail Service Orchestration User Guide
3. Click Next.
The Device section appears.
4. Click Next.
The VIM page appears.
5. Click Next.
The EMS page appears.
6. Click the plus icon (+) to add the EMS.
7. Complete the configuration according to the guidelines in Table 32 on page 66.
8. Click Save.
9. Click Next to review the configuration settings for the POP.
Table 32: Fields on the Add EMS Page
Field
Guidelines
Name
Name of the EMS. This field is auto-populated with the name that you specified when you deployed
the Junos Space Virtual Appliance.
Example: Junos Space
IP
Specify the IPv4 address of the Junos Space Web user interface (UI).
For a redundant Contrail Service Orchestration, configure the IP address of the Web UI for the
primary Junos Space Virtual Appliance.
Example: 192.0.2.3.
Vendor
Specify the vendor for the EMS.
Example: Juniper Networks
Version
Specify the version number of the EMS. The default version is 15.1.
Example: 15.1
Authentication URL
Specify the authentication URL for the EMS application.
User Name
Specify the username of the device administrator that you configured. This user should be assigned
the admin role in all the tenants. The default username is super.
Example: super
66
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 32: Fields on the Add EMS Page (continued)
Field
Guidelines
Password
Specify the administrator password that you configured. The default password is juniper123.
Example: juniper123
Reviewing and Saving the POP Configuration Settings
After you have configured a POP and its associated resources, you can review and save
a copy of the configuration settings. Finally, you must save the POP that you configured.
1.
Click Resources > POPs > + .
The Add POP page appears.
2. Complete the configuration settings according to the guidelines provided in
Table 29 on page 58.
3. Click Next.
The Device section appears.
4. Click Next.
The VIM page appears.
5. Click Next.
The EMS page appears.
6. Click Next.
The Summary page appears.
7. Click Summary > Edit to edit the configuration settings of the objects that you
configured.
8. Click Download POP Payload to save a JSON file of the configuration settings of the
objects that you configured.
9. Click OK to save the POP configuration. If you want to discard your changes, click
Cancel instead.
Related
Documentation
•
About the POPs Page on page 55
•
About the EMS Page on page 82
•
About the VIMs Page on page 76
Copyright © 2018, Juniper Networks, Inc.
67
Contrail Service Orchestration User Guide
About the Routers Page on page 85
•
Importing Data for Multiple POPs
You can use the Import POPs page to import a POP and its associated resources, such
as a provider edge device for the POP, a virtualized infrastructure manager (VIM), a
container for management network for the VIM, and an element management system
(EMS).
•
Customizing a POP Data File on page 68
•
Uploading a POP Data File on page 72
Customizing a POP Data File
To customize a POP data file:
1.
Select Resources > POPs.
2. Click Import POPs > Import.
The Import POPs page appears.
3. Click the Download Sample JSON link to open and save the sample JSON data file.
The sample file opens at the bottom of the page.
4. Save the file to your computer with an appropriate name.
Example: sample-pop-data.json
NOTE: You need to retain the file format as .json to successfully upload
the POP details to the Administration Portal.
5. Customize the sample JSON file using the guidelines in Table 33 on page 68.
6. Save the customized file.
Table 33: Fields on the POPs Page
Field
Description
POP Information
dc_name
Specify the name of the region for this POP.
Example: regional
NOTE: Administrator should not delete the region name.
68
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 33: Fields on the POPs Page (continued)
Field
Description
name
Specify the name of the POP. You can use an unlimited number of alphanumeric characters,
including special characters.
Example: pne-pop10
street
Specify the street address.
Example: 1133 Innovation Way
city
Specify the name of the city.
Example: Sunnyvale.
state
Specify the name of the state.
Example: CA
zip_code
Specify the zip code or postal code for the state.
Example: 94089.
country
Specify the name of the country.
Example: USA
VIM Information
NOTE: You must add a VIM for a centralized deployment. Do not add a VIM for a distributed deployment.
name
Specify the name of the VIM instance. You can use an unlimited number of alphanumeric characters,
including special characters.
Example: vim10
vim_type
Specify the VIM instance type. The default VIM type is cloud.
Example: cloud
address
Specify the IP address of the primary Contrail Configure and Control node for the Contrail Cloud
Reference Architecture (CCRA) for this POP.
Example: 10.102.28.148
auth_url
Specify the authentication URL for the OpenStack Keystone.
Example: http://10.102.28.148:5000/v3
default_domain
Specify the name of the OpenStack domain that you configured.
Example: Default.
Copyright © 2018, Juniper Networks, Inc.
69
Contrail Service Orchestration User Guide
Table 33: Fields on the POPs Page (continued)
Field
Description
password
Specify the OpenStack Keystone password that you configured.
Example: contrail123
default_tenant
Specify the name of the OpenStack tenant that you configured.
Example: admin
username
Specify the OpenStack Keystone username that you configured.
Example: admin
Resource Pool
name
Specify a resource pool for each VIM. You can use an unlimited number of alphanumeric characters,
including special characters.
Example: ResoucePool123
compute_zone
Specify the availability zone in Contrail OpenStack in which the VMs for network services reside.
The default availability zone is nova.
You can run the nova availability-zone-list command on the Contrail OpenStack to find the list of
available zones.
Example: nova
Management Network
vld_name
Specify the name of the virtual link descriptor for the management network. The default name is
mgmt.
Example: mgmt
vl_name
Specify the name of the management network in Contrail.
Example: mgmt-net
onboard
route_target
Specify the onboard value for the management network.
•
true—Import named virtual network object from VIM.
•
false—Create a virtual network in VIM with the specified name.
Select the route target for the management network in Contrail.
Example: 8887:887
subnet
Specify one or more prefixes that define the subnets for the Contrail Compute nodes. You can use
an IPv4 address.
Example: 10.102.82.0/23
EMS Information
70
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 33: Fields on the POPs Page (continued)
Field
Description
name
Specify the name of the EMS application.
Example: Junos Space
ip
Specify the IP address of the Junos Space Web user interface (UI). For a redundant Contrail Service
Orchestration, configure the IP address of the Web UI for the primary Junos Space Virtual Appliance.
Example: 10.102.86.12
username
Specify the username of the device administrator that you configured. This user should be assigned
the admin role in all the tenants. The default username is super.
Example: super
password
Specify the administrator password that you configured. The default password is juniper123.
You can choose a password that is at least eight characters long and contains characters from at
least three of the following four character classes: uppercase letters, lowercase letters, numbers
(0 through 9), and special characters.
Example: juniper123
vendor
Specify the vendor for the EMS.
Example: Juniper Networks
version
Specify the version number of the EMS.
Example: 15.1
Device Information
name
Specify the name of the device, such as a physical network element (PNE) for a centralized
deployment. You can use any number of alphanumeric characters, including special characters.
Example: PNE-MX10
device_ip
Specify the management IP address of the device.
Example: 192.0.2.15.
pne_package
Specify the name of the package providing metadata and configuration templates needed to
program a PNE device for service chain attachments in the case of a vCSO solution. If you configure
a PNE for the POP in a centralized deployment, select a software image from the menu:
•
SDN-GW-MX—Default for MX Series router. Select this option for most installations.
•
Juniper-MX-MIS—Customized device profile with MX configuration that prevents the creation
of black holes when an administrative user activates a service at a site.
You must specify the PNE package only for a data center gateway device.
Do not use the SRX Series package for the PE router or the SDN gateway.
Copyright © 2018, Juniper Networks, Inc.
71
Contrail Service Orchestration User Guide
Table 33: Fields on the POPs Page (continued)
Field
Description
assigned_device_profile
Select the name of the configuration image for the SDN gateway or the PE router.
username
•
SDN-GW-MX—Default for MX Series router. Select this option for most centralized deployments
and for all distributed deployments.
•
Juniper-MX-MIS—Customized device profile with MX Series configuration that prevents the
creation of black holes when an administrative user activates a service at a site.
•
SRX_Basic_SDWAN_HUB—Device profile for an SRX Services Gateway used as a CPE device
that offers basic SD-WAN functionality in a distributed deployment. Select this option only if
you have been advised to do so by Juniper Networks.
Specify the username of the device administrator for logging into the device.
Example: root
password
Specify the password for logging into the device.
Example: pwd123
Uploading a POP Data File
You can use the Administration Portal to import POP data to support tenant services.
To upload a POP data file:
1.
Select Resources > POPs.
2. Click Import POPs > Import.
The Import POPs page appears.
3. Click Browse and navigate to the directory containing the POP data file.
4. Select the file and click Open.
5. Click Import. If you want to discard the import process, click Cancel instead.
A success message is displayed indicating that the job was uploaded successfully.
See Also
72
•
Creating a Single POP on page 57
•
Viewing the History of POP Data Imports on page 73
•
Viewing the History of POP Data Deletions on page 74
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Viewing the History of POP Data Imports
You can use the Import History page to view the imported POP data. You can also view
the details of the imported logs and their status.
To import your POP data, see “Importing Data for Multiple POPs” on page 68.
To view the history of imported POP data:
1.
Click Resources > POPs > Import POPs > Import History.
The Import History page is displayed. Table 34 on page 73 describes the fields on the
Import History page.
2. Click a task name.
The Import POPs Tasks page appears. Table 35 on page 74 describes the fields on
the Import Task page.
3. Click the Task ID.
The Job Status page appears. Table 36 on page 74 describes the fields on the Job
Status page.
4. Click OK to return to the previous page.
Table 34: Fields on the Import History Page
Field
Description
In progress
View the number of import tasks that are in progress.
Success
View the number of import tasks that are successful.
Failure
View the number of import tasks that have failed.
Name
View the name of the task.
Example:
import_pop_csp.topology_service.import_pop_28c93be6325f4e87a44
0be096c7e4b58
Start Date
View the start date and time of the task.
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task succeeded or failed.
Log
View the import logs. Click a log to access more detailed information about
the imported log.
Copyright © 2018, Juniper Networks, Inc.
73
Contrail Service Orchestration User Guide
Table 35: Fields on the Import POPs Tasks Page
Field
Description
Task ID
View the ID created for the task.
Status
View the status of the task to know whether the task succeeded or failed.
Table 36: Fields on the Job Status Page
Field
Description
Name
View the name of the task.
Actual Start Time
View the start date and time of the task.
User
View the name of the user who imported the task.
End Time
View the end date and time of the task.
State
View the status of the task to know whether the task succeeded or failed.
Related
Documentation
•
Importing Data for Multiple POPs on page 68
•
Viewing the History of POP Data Deletions on page 74
Viewing the History of POP Data Deletions
You can use the Delete History page to view the deleted POP data, status of the delete
operation, and log details.
To view the history of deleted POP data:
1.
Click Resources > POPs > Import POPs > Delete History.
The Delete History page is displayed. Table 37 on page 75 describes the fields on the
Delete History page.
2. Click a task name.
The Delete POPs Tasks page appears. Table 38 on page 75 describes the fields on
the Delete Task page.
3. Click the Task ID.
The Job Status page appears. Table 39 on page 75 describes the fields on the Job
Status page.
4. Click OK to return to the previous page.
74
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 37: Fields on the Delete History Page
Field
Description
Name
View the name of the task.
In progress
View the number of delete tasks that are in progress.
Success
View the number of delete tasks that are successful.
Failure
View the number of delete tasks that have failed.
Start Date
View the start date and time of the task.
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task is succeeded or failed.
Log
View the import logs. Click on a log to access more detailed information about
the deleted log.
Table 38: Fields on the Delete POPs Tasks Page
Field
Description
Success
View the number of times the delete operations has been successful for a
POP.
Failure
View the number of times the delete operations has failed for a POP.
Task ID
View the ID created for the task.
Click on the task ID to view the delete log details corresponding to a POP.
Status
View the status of the task to know whether the task succeeded or failed.
Table 39: Fields on the Job Status Page
Field
Description
Name
View the name of the task.
Actual Start Time
View the start date and time of the task.
User
View the name of the user who deleted the task.
End Time
View the end date and time of the task.
State
View the status of the task to know whether the task succeeded or failed.
Copyright © 2018, Juniper Networks, Inc.
75
Contrail Service Orchestration User Guide
Related
Documentation
•
Importing Data for Multiple POPs on page 68
•
Viewing the History of POP Data Imports on page 73
Managing a Single POP
Use the tabs on this page to view and manage resources for this POP.
Related
Documentation
•
About the VIMs Page on page 76
•
About the EMS Page on page 82
•
About the Routers Page on page 85
•
About the POPs Page on page 55
•
Creating a Single POP on page 57
About the VIMs Page
To access this page, click Resources > POPs > POP Name > VIMs.
You can use the VIMs page to create a virtualized infrastructure manager (VIM) and to
view information about VIMs provisioned in the POP. The VIM in a Network Functions
Virtualization (NFV) implementation manages the hardware and software resources
that the service provider uses to create service chains and deliver network services to
customers.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Quickly view important data about VIMs created for POPs in the widgets that appear
at the top of the page. See Table 40 on page 77.
•
Create a Cloud VIM. See “Creating a Cloud VIM” on page 78.
•
Select a different POP from the drop-down list above the top left of the table to view
the VIM details in grid view.
•
View details about a VIM. Click the details icon that appears when you hover over the
name of a VIM instance. See “Viewing Object Details” on page 14.
•
Show or hide columns about the VIMs. See “Sorting Objects” on page 15.
•
Search an object about the VIMs. See “Searching for Text in an Object Data Table” on
page 15.
•
Table 40 on page 77 describes the widgets on the VIMs page.
•
Table 41 on page 77 shows the fields on the VIMs page.
Field Descriptions
76
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 40: Widgets on the VIMs Page
Widget
Description
Top VIMs by CPU Allocation
View the top VIMs using the largest percentage of CPU from the assigned
cores.
Top VIMs by Storage Allocation
View the top VIMs using the most storage from the allocated storage
space in gigabytes(GB).
Top VIMs by Memory Allocation
View the top VIMs using the most memory from the allocated memory
size in megabytes IMB).
Table 41: Fields on the VIMs Page
Field
Description
Name
View the name of the VIM in the POP.
IP Address
View the IP address of the primary Contrail Configure and Control node for the Contrail
Cloud Reference Architecture (CCRA) for this POP.
CPU Allocated
View the amount of CPU cores allocated to the POP by the VIM.
Memory Allocated
View the amount of memory allocated to the POP by the VIM.
Storage Allocated
View the amount of storage allocated to the POP by the VIM.
Domains
View the name of the OpenStack domain that you configured.
Vendor
View the vendor name of the VIM instance.
URL
View the uniform resource locator (URL) for the OpenStack Keystone.
Tenants
View the number of OpenStack tenants in the POP.
Related
Documentation
•
About the POPs Page on page 55
•
About the VIMs Page on page 76
•
About the Routers Page on page 85
•
Creating a Single POP on page 57
Copyright © 2018, Juniper Networks, Inc.
77
Contrail Service Orchestration User Guide
Creating a Cloud VIM
You can use the VIMs page to create virtualized infrastructure managers (VIMs) for each
POP in the network. You create one VIM object for each POP in your network. Although
the Contrail Cloud Reference Architecture (CCRA) provides a VIM, when you create a
VIM you can specify several Contrail OpenStack settings. See Table 42 on page 79.
You can only create a VIM for a centralized deployment. A distributed deployment has
a default VIM that is created when the deployment is installed.
There are two authentication methods, namely, CSO Keystone (Central Keystone)
authentication and independent VIM Instances’s keystone (also known as regional
keystone) authentication. Customers can authenticate and authorize their own system
through OpenStack. Customers have to configure service profiles as a part of VIM and
associate it with a tenant.
For example, consider ABC as a service provider and customer-a as the tenant for ABC.
The workflow for associating the service profile with the tenant is listed below:
1.
The cspadmin configures the POP (vim-instance and domain creations) along with
vim-service-profiles when configuring the vim-instance. The vim-service-profiles
contains the respective VIM’s infra tenant details.
2. Configure ABC data center as a VIM.
3. ABC admin configures customer-a along with service-profile-name. This enables VIM
microservice to map customer-a to equivalent infra tenant as specified in
service-profile-name.
4. ABC admin, ABC tenant details, customer-a tenant, and customer-a account details
are present in CSO Keystone (Central Keystone), while infra tenant details that are
available as part of vim-service-profile is present only in regional keystone.
5. When creating a service, customer-a instantiates a network service. The customer-a’s
request is received at NSO with customer-a’s authentication token from the regional
VIM keystone.
6. Based on tenant-name customer-a, the VIM region maps to “admin” infra tenant,
because when configuring “customer-a ” tenant, the service-profile-name with admin
was provided.
7. VIM regional microservice can now use the infra tenant for its service instantiation
activities.
To create a VIM in the cloud:
1.
78
Click Resources > POPs > POP Name > VIMs.
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
2. Click the plus icon(+).
The Add Cloud VIM page appears.
3. Configure the fields using the information provided in Table 42 on page 79.
4. Click Save. If you want to discard your changes, click Cancel instead.
Table 42: Fields on the Add Cloud VIM Page
Field
Guidelines
Name
Specify the name of the virtualized infrastructure manager
(VIM) for a centralized deployment. You can add multiple VIMs
to a point of presence (POP). You can use letters, numbers,
spaces, periods, dashes, underscores, commas, @, #, $, %, &,
and *. Maximum length is 255 characters. .
Example: vcpe-vim
Type
View the VIM type. The default VIM type is cloud.
Example: Cloud
Connection Information
IP address
Specify the IP address of the Contrail Controller node in the
Contrail Cloud Platform that provides the virtualized
infrastructure manager (VIM).
Example: 10.102.28.36
Auth URL
Specify the authentication URL for the Contrail OpenStack
Keystone.
Example: http://ip:5000/v3
User Name
Specify the username for logging into Contrail Service
Orchestration. The default is cspadmin.
Example: cspadmin
Password
Specify the password for logging into Contrail Service
Orchestration. The default is passw0rd.
Example: passw0rd
Domain
Specify the name of the Contrail OpenStack domain that you
configured for the Contrail Cloud Platform.
Example: default
Copyright © 2018, Juniper Networks, Inc.
79
Contrail Service Orchestration User Guide
Table 42: Fields on the Add Cloud VIM Page (continued)
Field
Guidelines
Tenant
Specify the name of the Contrail OpenStack tenant that you
configured for the Contrail Cloud Platform.
Example: admin
Network Information
Resource Pools
Resource Pool
Specify a resource pool name and the corresponding compute
zone, which is a group of compute nodes. You configure
compute zones as availability zones in Contrail OpenStack.
The default availability zone is Nova, and you can run the nova
availability-zone-list command on the Contrail contoller node
to view a list of available zones.
Resource Pool Name
Specify a resource pool, which identifies the location in which
the virtual network functions (VNFs) are implemented. You
can use an unlimited number of alphanumeric characters,
including special characters.
Example: north-east.
Compute Zone
Specify the availability zone in Contrail OpenStack in which
the virtual machines for network services reside. The default
availability zone is nova.
You can run the nova availability-zone-list command on the
Contrail OpenStack to find the list of available zones.
Example: nova
Does Management Network Exists?
Management Network Name
Specify whether to use an existing virtual network in Contrail
OpenStack or to create a new one.
•
yes—Import the named virtual network from Contrail
OpenStack.
•
no—Create a virtual network in Contrail OpenStack with the
specified name.
Specify the name of the existing network in Contrail or of the
new network that you want to create in Contrail.
Example: mgmt-net
Management Network Information
Route Target
Specify one or more route targets for the management network
to be created in Contrail
Example: 64512:10000.
80
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 42: Fields on the Add Cloud VIM Page (continued)
Field
Guidelines
Subnet
Specify one or more prefixes that define the subnets for the
Contrail Compute nodes. You can use an IPv4 address.
Example: 192.0.2.0/24.
Internet Network Information
Network Name
Specify the name of the Internet network.
Example: int-net
Does Exist?
Select to add a new Internet connection for the VIM in Contrail
OpenStack.
Route Target
Select the route target for the internet network in Contrail.
Example: 64512:10000.
Subnet
Select the prefix that defines the subnet for the Contrail
Compute nodes.
You can use an IPv4 address.
Example: 192.0.2.0/24.
Service Profile Information
Profile Name
Specify the name of the service profile in a VIM instance.
Example: vim-service-profile
Tenant Name
Specify the infra tenant for whom you want to assign the
service profile.
Example:test-tenant
Domain Name
Specify the Infra domain name.
Example:Default
User Name
Specify the username of the tenant.
Example: admin
Password
Specify the password for the tenant user.
Example: password123
Copyright © 2018, Juniper Networks, Inc.
81
Contrail Service Orchestration User Guide
Table 42: Fields on the Add Cloud VIM Page (continued)
Field
Guidelines
Default Service Profile
If you use a dedicated OpenStack Keystone for Contrail Service
Orchestration, specify the name of the default service profile.
If you do not specify a service profile when you configure the
tenant, Contrail Service Orchestration uses the default profile
to authenticate the tenant.
Example: default-service-profile
NOTE: Infra Tenants such as admin is available only in Regional Keystone
and not in CSO Keystone (Central Keystone).
Related
Documentation
•
About the Routers Page on page 85
•
Configuring Devices on page 89
•
Creating an EMS on page 83
About the EMS Page
To access this page, click Resources > POPs > POP Name > EMS.
You can use the EMS page to create an element management system and to view
information about an EMS configured in your POP. You need to configure your Junos
Space Virtual Appliance with the Administration Portal so that the virtual appliance can
communicate with other components in your deployment.
Tasks You Can Perform
You can perform the following tasks from this page:
82
•
Create an EMS. See “Creating an EMS” on page 83.
•
Change the Junos Space Password. See “Changing the Junos Space Virtual Appliance
Password” on page 85.
•
Select a different POP from the drop-down list above the top left of the table to view
details about an EMS in grid view.
•
View details about an EMS. Click the details icon that appears when you hover over
the name of an EMS application. See “Viewing Object Details” on page 14.
•
Show or hide columns about an EMS. See “Sorting Objects” on page 15.
•
Search an object about an EMS. See “Searching for Text in an Object Data Table” on
page 15.
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Field Descriptions
Table 43 on page 83 shows the fields on the EMS page.
Table 43: Fields on the EMS Page
Field
Description
Name
View the name of the EMS application.
Example: Junos Space
IP Address
View the IP address of the Junos Space Web user interface(UI). For a redundant Contrail
Service Orchestration, configure the IP address of the Web UI for the primary Junos
Space Virtual Appliance.
Example: 192.0.2.3
Vendor
View the vendor name for the EMS.
Example: Juniper Networks
Related
Documentation
•
About the POPs Page on page 55
•
Creating a Single POP on page 57
•
About the VIMs Page on page 76
•
About the Routers Page on page 85
Creating an EMS
You can use the EMS Management page to configure the primary instance of each element
management system (EMS) that you use for the Cloud CPE Centralized Deployment
Model. Administration Portal automatically adds an object for the EMS, using the name
that you specify when you deploy the Junos Space Virtual Appliance.
Verify that the VIM Management page displays the virtualized infrastructure managers
(VIMs).
To create an EMS:
1.
Click Resources > POPs > POP Name > EMS.
2. Click the plus (+) icon.
The Add EMS page appears.
Copyright © 2018, Juniper Networks, Inc.
83
Contrail Service Orchestration User Guide
3. Complete the configuration according to the guidelines provided in
Table 44 on page 84.
4. Click Save. If you want to discard your changes, click Cancel instead.
Table 44: Fields on the Add EMS Page
Field
Guidelines
Name
Name of the EMS. This field is auto-populated with the name that you specified when you deployed
the Junos Space Virtual Appliance.
Example: Junos Space
IP
Specify the IP address of the Junos Space Web user interface (UI).
For a redundant Contrail Service Orchestration, configure the IP address of the Web UI for the
primary Junos Space Virtual Appliance.
Example: 192.0.2.3.
Vendor
Specify the vendor for the EMS.
Example: Juniper Networks
Version
Specify the version number of the EMS. The default version is 15.1.
Example: 15.1
Authentication URL
Specify the authentication URL for the EMS application.
User Name
Specify the username of the device administrator that you configured. This user should be assigned
the admin role in all the tenants. The default username is super.
Example: super
Password
Specify the administrator password that you configured. The default password is juniper123.
Example: juniper123
Related
Documentation
84
•
About the Routers Page on page 85
•
Creating a Cloud VIM on page 78
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Changing the Junos Space Virtual Appliance Password
Administration Portal enables you to change the password for your Junos Space Virtual
Appliance from the EMS Page.
To change the password:
1.
Click Resources > POPs > POP Name > EMS.
2. Select the POP name from the drop-down list.
3. Select the Junos Space Virtual Appliance whose password you want to change.
4. Click More > Change Password.
The Change Password page appears.
5. Complete the configuration according to the guidelines provided in
Table 45 on page 85.
6. Click Save. If you want to discard your changes, click Cancel instead.
Table 45: Change Password Fields
Field
Description
Username
Specify the administrator username that you configured.
Example: super
Password
Specify the new password that you want to configure.
You can choose a password that is at least eight characters long and contains characters from at
least three of the following four character classes: uppercase letters, lowercase letters, numbers (0
through 9), and special characters.
Related
Documentation
•
About the EMS Page on page 82
•
Creating an EMS on page 83
About the Routers Page
To access this page, click Resources > POPs > POP Name > Routers.
You can use the Routers page to view information about the gateway router configured
in the POP and to create and configure physical network elements (PNEs) associated
with a specific customer site. A PNE is a device in the network that you can provision and
configure through Contrail Service Orchestration.
Copyright © 2018, Juniper Networks, Inc.
85
Contrail Service Orchestration User Guide
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create a device. See “Creating Devices” on page 87.
•
Configure a device. See “Configuring Devices” on page 89.
•
Select a different POP from the drop-down list above the top left of the table to view
router details in grid view.
•
View details about a router. Click the details icon that appears when you hover over
the name of a router application. See “Viewing Object Details” on page 14.
•
Show or hide columns about the routers. See “Sorting Objects” on page 15.
•
Search an object about the router. See “Searching for Text in an Object Data Table”
on page 15.
•
Delete a device. See “Deleting Objects” on page 14.
Field Descriptions
Table 46 on page 86 describes the fields on the Routers page.
Table 46: Fields on the Routers Page
Field
Description
Name
View the name of the device configured in the POP.
Example: blue_device
IP Address
View the IP address of the device.
Example: 10.155.67.6
Serial Number
View the serial number of the device.
Example: JN116548FAFC
Management Status
View the management status of the device.
Example: ACTIVE
Related
Documentation
86
•
About the POPs Page on page 55
•
About the VIMs Page on page 76
•
About the EMS Page on page 82
•
Creating a Single POP on page 57
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Creating Devices
You can use the Routers page to create physical network elements (PNEs) to a specific
point of presence (POP).
To create a device:
1.
Click Resources > POPs > POP Name > Routers.
2. Click Add > Discover Device.
The Add Device page appears.
3. Complete the configuration according to the guidelines provided in Table 47 on page 87.
4. Click Save. If you want to discard your changes, click Cancel instead.
Table 47: Fields on the Add Device Page
Field
Description
Name
Specify the name of the device, which can be:
•
An MX Series router used as an SDN gateway in a centralized deployment.
•
An MX Series router used as a provider edge (PE) router in a distributed deployment.
•
An SRX Series Services Gateway used as an IPsec concentrator in a distributed deployment.
You can use any number of alphanumeric characters, including special characters.
Example: MX-router-10
Family
Select the product series for the device.
Example: MX
Device Template
Select the name of the device template for the device:
•
Juniper-MX-MIS—Customized device template for an MX Series router that prevents the creation of
black holes when an administrative user activates a service at a site. Select this option only if you have
been advised to do so by Juniper Networks.
•
SDN-GW-MX—Default template for MX Series router. Select this option for MX Series routers in
centralized and distributed deployments.
•
SRX_Basic_SDWAN_HUB—Device template for an SRX Services Gateway used as a hub that offers
basic SD-WAN functionality in a distributed deployment. Select this option only if you have been advised
to do so by Juniper Networks.
•
SRX_Managed_Internet_CPE—Device template to manage an SRX Services Gateway devices for a
managed internet service.
•
SRX_SDWAN_SUPPORT—Device template for an SRX Series Services Gateway with SDWAN
deployment.
Copyright © 2018, Juniper Networks, Inc.
87
Contrail Service Orchestration User Guide
Table 47: Fields on the Add Device Page (continued)
Field
Description
Type of Device
Select the type of device:
PNE package
Management Type
Device IP
•
PNE—Use this option in a centralized deployment to add an MX Series router as an SDN gateway.
•
PE/IPsec—Use this option in a distributed deployment to add an MX Series router as a PE router, an
IPsec concentrator or both, or to add an SRX Series gateway as an IPsec concentrator.
If you specified that the device is an MX Series router for a centralized deployment, select the name of
the package that contains metadata and configuration instructions for the PNE:
•
Juniper-MX—Use with the SDN-GW-MX device profile.
•
Juniper-MX-MIS—Customized device profile with MX Series configuration that prevents the creation
of black holes when an administrative user activates a service at a site. Use with the Juniper-MX-MIS
device profile.
If you specified that the device is a PE router, IPsec concentrator, or both, specify whether Contrail Service
Orchestration manages the device:
•
Managed—Select this option if you use Contrail Service Orchestration to manage the device.
•
Unmanaged—Select this option if you use an application other than Contrail Service Orchestration to
manage the device. In this case, Contrail Service Orchestration uses the device object that you configure
for presentation purposes only.
Specify the IPv4 address of the management interface for the device.
Example: 192.0.2.15
Internet Gateway
(optional)
Specify one or more Internet gateway IPv4 addresses if the device connects to CPE devices that have
access to the Internet. An Internet gateway IPv4 address may be the same as the IPv4 address of the
endpoint of the IPsec tunnel on the IPsec concentrator for a CPE device.
Example: 192.0.2.20
User Name
Specify the username that you configured when you set up the device. You use this username to log into
the device. Providing login credentials gives Contrail Service Orchestration access to the device.
Example: root
Password
Specify the password that you configured when you set up the device. You use this password to log into
for the device. Providing login credentials gives Contrail Service Orchestration access to the device.
Example: pwd123
Related
Documentation
88
•
About the Routers Page on page 85
•
Configuring Devices on page 89
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Configuring Devices
You can use the Routers page to configure physical network elements (PNEs) associated
with a specific customer site.
To configure a device:
1.
Click Resources > POPs > POP Name > Routers.
2. Select the router that you want to configure.
3. Click More > PNE Configure.
The PNE Configure page appears.
4. Click the + icon to add interface configuration details.
5. Complete the configuration according to the guidelines provided in
Table 48 on page 89.
6. Click Ok. If you want to discard your changes, click Cancel instead.
Table 48: Fields on the PNE Configure Page
Field
Description
Interface Configuration
Name
Specify the identifier of the physical interface of the device that acts as the
management interface. This interface connects to the management network
in Contrail. You either configure this network in Contrail or in Administration
Portal when you create the virtualized infrastructure manager (VIM).
Example: xe-1/1/1
Vlan
(Optional) If you use VLANs to segment the VPN, specify the identifier of the
VLAN interface that connects to the management network in Contrail. The
identifier is an integer in the range 1–4096.
Example: 100
Addr
Specify an IPv4 prefix for the management interface.
Example: 192.0.2.15
BGP Configuration
AS Number
Specify the autonomous system (AS) number for BGP routing with the Contrail
Controller node.
Example: 64512
Copyright © 2018, Juniper Networks, Inc.
89
Contrail Service Orchestration User Guide
Table 48: Fields on the PNE Configure Page (continued)
Field
Description
Local Address
Specify an IPv4 address, such as the loopback address, that the router uses
for BGP sessions.
Example: 192.0.2.15
Remote Address (Contrail Controller)
Select the IPv4 address of the data interface for the Contrail Controller node.
Example: 192.0.2.25.
Contrail Compute Prefix
Select one or more IPv4 prefixes that define the subnets between the SDN
gateway and the Contrail Compute nodes.
Example: 192.0.2.0/24.
Management VRF Configuration
Interface Name
Reenter the management interface identifier that you specified in the Interface
Configuration Name field. In the Management VRF Configuration section, you
associate this interface with a virtual routing and forwarding instance (VRF).
Example: xe-1/1/1.
Interface VLAN
(Optional) If you use VLANs to segment the VPN, reenter the identifier that
you specified in the Interface Configuration VLAN field. In the Management
VRF Configuration section, you associate this interface with a virtual routing
and forwarding instance (VRF).
Example:100
Default Gateway
(Optional) Specify the IPv4 address on the router that provides the default
route for management traffic.
Example: 192.0.2.40.
Route Target
Specify the route target for the management network used in Contrail.
Example: 64512:10000.
Route Distinguisher
Specify the route distinguisher for the management network used in Contrail.
Example: 64512:10000.
Internet VRF Configuration
Interface Name
Specify one or more physical interfaces on the router that connect to the
Internet.
Example: xe-2/2/2
90
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 48: Fields on the PNE Configure Page (continued)
Field
Description
Interface VLAN
(Optional) If you use VLANs to segment the VPN, specify the identifiers of the
VLAN interfaces that connect to the Internet. A VLAN identifier is an integer
in the range 1–4096.
Example:500
Default Gateway
(Optional) Specify the IPv4 address on the router that provides the default
route for Internet traffic.
Example: 192.0.2.50
Route Target
Specify the route target for Internet traffic on this interface. This value matches
the Route Target value that you configure for the VPN associated with the
site.
Example: 64512:12000.
Route Distinguisher
Specify a unique route distinguisher for traffic on this interface. This value
matches the Route Distinguisher value that you configure for the VPN
associated with the site. You can specify any unique route distinguisher, such
as the route target for Internet traffic.
Example: 64512:12000
You can also configure the devices from the POPs landing page.
To configure a device:
1.
Select Resources > POPs > Pop-Name.
The Pop-Name page appears.
2. Click the Routers tab.
3. Select the device that you want to configure and click the Configure Device button.
The Stage 2 Config page appears. This page is dynamically rendered based on stage-2
configuration specified in the device profile.
4. Enter the configuration data on the page.
5. Click Save to save the configuration.
A confirmation message is displayed and the deployment status changes to pending
deployment.
6. Click Deploy to save and deploy the configuration.
Copyright © 2018, Juniper Networks, Inc.
91
Contrail Service Orchestration User Guide
A confirmation message is displayed indicating that the job is created and subsequently
that the job was successful. You can click Deploy History to view the job logs.
7. Click Cancel to go back to the Pop-Name page.
Related
Documentation
•
About the Routers Page on page 85
•
Creating Devices on page 87
Adding a Hub Device
You can use the Routers page to add a hub device to a specific point of presence (POP)
in SD-WAN deployment with hub-and-spoke topology. The hub models that are supported
are:
•
MSP Hub—This hub can be shared by multiple tenants.
•
Tenant Hub—This hub is specific to a tenant. You can add a tenant hub by logging in
to Customer Portal and following the site creation procedure.
NOTE: You can use only an SRX Series Services Gateway as a hub device.
Before You Begin
Create all the resources required for the network point of presence (POP). See “Creating
a Single POP” on page 57.
To add a MSP hub device:
1.
Select Resources > POPs > POP-Name > Routers.
The Routers page appears.
2. Select Add > Add (Model) Hub Device.
The Add Hub Device page appears.
3. Complete the configuration according to the guidelines provided in
Table 49 on page 93.
4. Click Ok. If you want to discard your changes, click Cancel instead.
If you click Ok, then the information about the new hub device appears on the Routers
page.
92
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
Table 49: Fields on the Add Hub Device Page
Field
Description
Name
Specify the name of the hub device.
You can use any number of alphanumeric characters, including special characters.
Example: SRX-cloud-hub
Management Region
Displays the regional server with which the CPE device communicates. The management region
name is populated based on the information from the device template.
Example: regional
POP
Select the POP name for the hub device.
Example: pop_blue
Device Profile
Select the device template that supports SD-WAN deployment with hub-and-spoke topology.
Example: SRX_Advanced_SDWAN_HUB_option_1
Connectivity
Based on the site requirement, the following fields are populated:
Management Connectivity
(Optional) Select this option if the management connectivity is initiated by Contrail Service
Orchestration (CSO).
VLAN ID
Specify the OAM VLAN ID for the in-band management of the site.
Example: 53
IP Prefix
Specify one or more prefixes for the site management network. You can use an IPv4 address.
Example: 172.16.0.0
Gateway IP
Specify the IPv4 address of the default route for the management network.
Example: 192.168.0.0
Copyright © 2018, Juniper Networks, Inc.
93
Contrail Service Orchestration User Guide
Table 49: Fields on the Add Hub Device Page (continued)
Field
Description
WAN_0
Select to enable a WAN link. If you select a WAN link, then specify the following information:
WAN_1
•
WAN Interface—Displays the interface name configured in the device template. You cannot
modify this field.
•
Link Type—Select the link type(MPLS or Internet).
•
Address Assignment—Select the method for IP address assignment. The options available
are:
WAN_2
WAN_3
•
•
DHCP—Select DHCP to assign IP address by using a DHCP server.
•
STATIC—Select STATIC to assign a static IP address.
Traffic type—Select the traffic type. The options available are:
•
DATA_ONLY—Select this option if you want to use the WAN link to transmit only data traffic.
•
OAM_AND_DATA—Select this option if you want to use the WAN link to transmit both data
traffic and management traffic.
NOTE: You must select at least one WAN link with OAM_AND_DATA traffic type.
Data VLAN ID
(Optional) Enter the VLAN ID that is associated with the data link. A data VLAN identifier is an
integer in the range 0–65,535.
Activation Info
Serial Number
Enter the serial number of the hub device.
Example: XXXXXXXXXXXX
Activation Code
Specify the activation code for the hub device. This field is displayed based on the device template
selected for the hub device. If ACTIVATION_CODE_ENABLED option is enabled in the device
template, then the Activation Info section displays the Activation Code field.
Example: XXXXXX
Related
Documentation
•
About the Routers Page on page 85
•
Configuring Devices on page 89
View the History of Device Data Deletions
You can use the Delete History page to view the deleted device data, status of the delete
operation, and log details.
To view the history of deleted device data:
1.
Click Resources > POPs > POP Name Routers > More > Delete History.
The Delete History page is displayed. Table 50 on page 95 describes the fields on the
Delete History page.
2. Click a task name.
94
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Managing POPs
The Delete Device Tasks page appears. Table 51 on page 95 describes the fields on
the Delete Task page.
3. Click the Task ID.
The Job Status page appears. Table 52 on page 95 describes the fields on the Job
Status page.
4. Click OK to return to the previous page.
Table 50: Fields on the Delete History Page
Field
Description
Name
View the name of the task.
In progress
View the number of delete tasks that are in progress.
Success
View the number of delete tasks that are successful.
Failure
View the number of delete tasks that have failed.
Start Date
View the start date and time of the task.
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task succeeded or failed.
Log
View the import logs. Click a log to access more detailed information about
the deleted log.
Table 51: Fields on the Delete Device Tasks Page
Field
Description
Success
View the number of times the delete operations succeeded for a device.
Failure
View the number of times the delete operations failed for a device.
Task ID
View the ID created for the task.
Click the task ID to view the delete log details corresponding to a device.
Status
View the status of the task to know whether the task succeeded or failed.
Table 52: Fields on the Job Status Page
Field
Description
Name
View the name of the task.
Copyright © 2018, Juniper Networks, Inc.
95
Contrail Service Orchestration User Guide
Table 52: Fields on the Job Status Page (continued)
Field
Description
Actual Start Time
View the start date and time of the task.
User
View the name of the user who deleted the task.
End Time
View the end date and time of the task.
State
View the status of the task to know whether the task succeeded or failed.
Related
Documentation
96
•
Creating Devices on page 87
•
Configuring Devices on page 89
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 11
Managing Devices
•
About the Devices Page on page 97
•
Managing a Single CPE Device on page 100
•
Configuring Activation Data for a Single Device on page 100
•
Configuring Activation Data for Multiple Devices on page 101
•
Viewing the History of Activation Data Uploads on page 104
•
Viewing the History of Deactivation Requests on page 106
•
Viewing the History of Device Activation Logs on page 107
About the Devices Page
To access this page, click Resources > Devices.
You can use the Devices page to view the list of available CPE devices in the service
provider network. You can also view information about each CPE device in the network.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Quickly view activation data created for CPEs in the widgets that appear at the top of
the page. See Table 53 on page 98.
•
Configure activation data for a single CPE. See “Configuring Activation Data for a Single
Device” on page 100.
•
Configure activation data for multiple CPEs. See “Configuring Activation Data for
Multiple Devices” on page 101.
•
View the history of activation data. See “Viewing the History of Activation Data Uploads”
on page 104.
•
View the history of deactivation requests. See “Viewing the History of Deactivation
Requests” on page 106.
•
View Stage-1 configuration. Click Resources > Devices > Device-Name > Stage 1 Config
to view the stage-1 configuration for the device.
•
View the device audit logs. Click Resources > Devices > Device-Name > Device Audit
Logs to view the audit logs for the device.
Copyright © 2018, Juniper Networks, Inc.
97
Contrail Service Orchestration User Guide
•
View details about a CPE device. Click the details icon that appears when you hover
over the name of a device or click More > Details. See “Viewing Object Details” on
page 14.
•
Deleting a CPE. See “Deleting Objects” on page 14.
•
Show or hide columns about the CPE. See “Sorting Objects” on page 15.
•
Search an object about the CPE device. See “Searching for Text in an Object Data
Table” on page 15.
•
Table 53 on page 98 describes widgets on the Devices page.
•
Table 54 on page 98 describes the fields on the Devices page.
Field Descriptions
Table 53: Widgets on the Devices Page
Widget
Description
Cloud CPEs by Status
View the management status of the CPE devices deployed in the
cloud.
•
Pending Activation—Number of CPE devices that are yet to connect
to the regional server.
•
Activation Failed—Number of CPE devices that could not connect
to the regional server.
•
Expected—Number of CPE devices that have yet to connect to the
regional server.
•
Active—Number of CPE devices that have downloaded images, but
are not yet configured.
•
Provisioned—Number of CPE devices on which IPsec tunnels are
fully operational.
•
Provision Failed—Number of CPE devices failed if the vSRX was
not instantiated properly.
Table 54: Fields on the Devices Page
Field
Description
Device Name
View the name of the device.
Example: sunny-NFX-250
Tenant
View the name of the tenant.
Example: tenant-blue
Site Name
View the name of the tenant site.
Example: site-blue-white
Location
View the name of the location.
Example: San Jose, CA
98
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Managing Devices
Table 54: Fields on the Devices Page (continued)
Field
Description
Status Message
View the latest status message.
Example: IPsec provision success
WAN Links
View the number of WAN links.
Example: 2
POP Name
View the name of the POP.
Example: pop_blue
Management Status
View the management status of the CPE devices deployed in the cloud.
Model
•
Expected—Regional server has activation details for the CPE device,
but CPE device has not yet established a connection with the server.
•
Active—CPE device has downloaded images, but is not yet configured.
•
Provisioned—IPsec tunnel on NFX250 device is operational.
•
Provision Failed—CPE device failed when the vSRX was not
instantiated properly.
View the name of the device model.
Example: NFX
Active Services
View the number of services that are activated for the device.
Example: 3
Image Name
View the name of the device image file.
Example: install_nfx_fmpm_agent_1_0.sh
OS Version
View the Junos OS Release version.
Example: 15.1X49-D40
Serial Number
View the serial number of the device.
Example: DD0416AA0117
Related
Documentation
•
Configuring Activation Data for Multiple Devices on page 101
•
Viewing the History of Activation Data Uploads on page 104
•
Viewing the History of Deactivation Requests on page 106
Copyright © 2018, Juniper Networks, Inc.
99
Contrail Service Orchestration User Guide
Managing a Single CPE Device
You can use the Devices page to view and manage a single customer premises equipment
(CPE) device at the tenant site. To access this page, click Resources > Devices >
Device-Name.
View the following information on the Overview tab:
Related
Documentation
•
Geographical location of the device at the tenant site.
•
Aggregate throughput of the device.
•
Recent alerts for the device.
•
Details of the device, such as serial number, management IP address, OS version,
device template, tenant name, site name, and site location.
•
About the Devices Page on page 97
Configuring Activation Data for a Single Device
You can configure the activation data for a single device from the Ship Device page.
To configure activation data:
1.
Click Resources > Devices .
The Devices page appears.
2. Select a device and click Ship Device.
The Ship Device page appears.
3. Complete the configuration according to the guidelines provided in
Table 55 on page 101.
4. Click OK. If you want to discard your changes, click Cancel instead.
The activation data is stored in Contrail Service Orchestration and the device state
on the Devices page changes to EXPECTED. When a customer activates the device,
Contrail Service Orchestration uses the data to authenticate the device, and after
successful validation, the device state changes to ACTIVE. Contrail Service
Orchestration then uploads the vSRX image on to the CPE device and establishes
tunnels for connectivity. When this process is successful, the device state changes to
PROVISIONED. If the process fails, the device state will be PROVISION_FAILED.
100
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Managing Devices
Table 55: Fields on the Ship Device Page
Field
Description
Customer Name
View the customer name.
Example: allenucpe
Site Name
View the customer site name.
Example: allen
Device Name
View the device name.
Example: allen-site22-nfx250
Serial Number
Specify the serial number of the device. For the NFX250 device, use the show chassis hardware
CLI command to find the serial number of the device.
Example: DD2316AF0177
Activation Code ( only for
NFX250 device)
Specify a code that an NFX250 device sends to the regional activation server to obtain its boot
image. Other devices do not require the activation code. The administrator in the service provide
network must also send the activation code to the customer, so that the site administrator can
specify the activation code when they start up the device.
You can use an unlimited number of alphanumeric characters but special characters are not
allowed.
BEST PRACTICE: Use a different number for each customer; however, you can use the same
activation code for multiple devices.
Example: 545454
Boot Image
Specify optional to use the boot image shipped with the device or select a release from the list.
Example: juniper_nfx_1.5_img.tgz
You can download device images from Junos Platforms - Download Software and upload
the image to the Administration Portal. See “Uploading a Device Image” on page 131.
Related
Documentation
•
About the Devices Page on page 97
•
Configuring Activation Data for Multiple Devices on page 101
•
Viewing the History of Activation Data Uploads on page 104
Configuring Activation Data for Multiple Devices
You can use the Ship CPEs page to configure activation data for multiple devices.
•
Customizing an Activation Data File on page 102
•
Uploading an Activation Data File on page 103
Copyright © 2018, Juniper Networks, Inc.
101
Contrail Service Orchestration User Guide
Customizing an Activation Data File
To create an activation data file:
1.
Select Resources > Devices .
2. Click Ship Devices > Ship.
The Ship CPEs page appears.
3. Click the Download Sample JSON link to open and save the sample JSON data file.
The sample file opens at the bottom of the page.
4. Save the file to your computer with an appropriate name.
NOTE: You need to retain the file format as .json to successfully upload
the CPE device details to the Administration Portal.
5. Customize the file using the guidelines in Table 56 on page 102 .
6. Save the customized file.
Table 56: CPE Data Fields
Field
Description
customer_name
Specify the name of the customer.
Example: Juniper-new1
site_name
Specify the name of the tenant site.
Example: Juniper-site-17-new1
Serial Number
Specify the serial number of the CPE. For the NFX 250 platform, use the show chassis
hardware CLI command to find the serial number of the device.
Example: DD2316AF0177
102
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Managing Devices
Table 56: CPE Data Fields (continued)
Field
Description
activation_code ( only for NFX250
device)
Specify the code that an NFX250 device sends to the regional activation server to obtain
its boot image. Other devices do not require the activation code. The administrator in
the service provider network must also send the activation code to customers, so that
the site administrator can specify the activation code when they start up the device.
You can use an unlimited number of alphanumeric characters but special characters
are not allowed.
BEST PRACTICE: Use a different number for each customer; however, you can use the
same activation code for multiple devices.
Example: 545454
boot_image
Specify the name of the software image.
Specify optional to use the boot image shipped with the device or select a release from
the list.
Example: jinstall-nfx-2-flex-15.1-20160701_15.1X53-D41.1.secure-domestic-signed.tgz
You can download software images from Junos Platforms - Download Software
and upload the image to the Administration Portal. See “Uploading a Device Image” on
page 131.
Uploading an Activation Data File
You can use the Administration Portal to import an activation data file for one or more
CPEs.
To upload an activation data file:
1.
Select Resources > Devices.
2. Click Ship Devices > Ship.
The Ship CPEs page appears.
3. Click Browse and navigate to the directory containing the .json file.
4. Select the file and click Open.
5. Click Import.
The Ship CPE Details page appears
6. Table 57 on page 104 describes the fields on the Ship CPE Details page.
7. Click OK to close the window.
Copyright © 2018, Juniper Networks, Inc.
103
Contrail Service Orchestration User Guide
Table 57: Fields on the Ship CPE Details Page
Field
Description
Name
View the name of the task.
Actual Start Time
View the start date and time of the task.
User
View the name of the user who imported the task.
End Time
View the end time of the task.
State
View the status of the task to know whether the task succeeded or failed.
See Also
•
Viewing the History of Activation Data Uploads on page 104
Viewing the History of Activation Data Uploads
You can use the Ship History page to view the uploaded activation data. You can also
view the details of the uploaded logs and their status.
To view the history of imported activation data:
1.
Click Resources > Devices > Ship CPEs > Ship History.
The Ship History page is displayed. Table 58 on page 104 describes the fields on the
Ship History page.
2. Click a task name.
The Ship Tasks page is displayed. Table 59 on page 105 describes the fields on the
Ship Tasks page.
3. Click the task ID.
The Job Status page is displayed. Table 60 on page 105 describes the fields on the Job
Status page.
4. Click OK to return to the previous page.
Table 58: Fields on the Ship History Page
Field
Description
In progress
View the number of import tasks that are in progress.
Success
View the number of import tasks that are successful.
Failure
View the number of import tasks that have failed.
104
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Managing Devices
Table 58: Fields on the Ship History Page (continued)
Field
Description
Name
View the name of the task.
Start Date
View the start date and time of the task.
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task succeeded or failed.
Log
View the import logs. Click a log to access more detailed information about
the imported log.
Table 59: Fields on the Ship Tasks Page
Field
Description
Tasks ID
View the ID created for the task.
Status
View the status of the task to know whether the task succeeded or failed.
Table 60: Fields on the Job Status Page
Field
Description
Name
View the name of the task.
Actual Start Time
View the start date and time of the task.
User
View the name of the user who imported the task.
End Time
View the end date and time of the task.
State
View the status of the task to know whether the task succeeded or failed.
Related
Documentation
•
Configuring Activation Data for Multiple Devices on page 101
•
Viewing the History of Deactivation Requests on page 106
Copyright © 2018, Juniper Networks, Inc.
105
Contrail Service Orchestration User Guide
Viewing the History of Deactivation Requests
You can use the Delete History page to view the deactivated requests, status of the
deactivated requests, and log details.
To view the history of deleted activation data:
1.
Click Resources > Devices > Ship CPEs > Delete History.
The Delete History page is displayed. Table 61 on page 106 describes the fields on the
Delete History page.
2. Click a task name.
The Ship CPEs Tasks page appears. Table 62 on page 106 describes the fields on the
Delete Tasks page.
3. Click the task ID.
The Job Status page appears. Table 63 on page 107 describes the fields on the Job
Status page.
4. Click OK to return to the previous page.
Table 61: Fields on the Delete History Page
Field
Description
Name
View the name of the task.
In progress
View the number of delete tasks that are in progress.
Success
View the number of delete tasks that are successful.
Failure
View the number of delete tasks that have failed.
Start Date
View the start date and time of the task.
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task succeeded or failed.
Log
View the import logs. Click a log to access more detailed information about
delete logs.
Table 62: Fields on the Ship CPEs Tasks Page
Field
Description
Success
View the number of times the delete operations succeeded for a device.
106
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Managing Devices
Table 62: Fields on the Ship CPEs Tasks Page (continued)
Field
Description
Failure
View the number of times the delete operations failed for a device.
Task ID
View the ID created for the task.
Click the task ID to view the delete log details corresponding to a device.
Status
View the status of the task to know whether the task succeeded or failed.
Table 63: Fields on the Job Status Page
Field
Description
Name
View the name of the task.
Actual Start Time
View the start date and time of the task.
User
View the name of the user who imported the task.
End Time
View the end date and time of the task.
State
View the status of the task to know whether the task succeeded or failed.
Related
Documentation
•
Configuring Activation Data for Multiple Devices on page 101
•
Viewing the History of Activation Data Uploads on page 104
Viewing the History of Device Activation Logs
You can use the ZTP History page to view the history of device activation logs. You can
also view the details of the activation logs and their status.
To view the device activation logs:
1.
Click Sites Device Activation Logs.
The ZTP History page is displayed. Table 64 on page 108 describes the fields on the
ZTP History page.
2. Click a task name.
The ZTP Logs page appears. Table 65 on page 108 describes the fields on the ZTP
Logs page.
3. Click the Task ID.
Copyright © 2018, Juniper Networks, Inc.
107
Contrail Service Orchestration User Guide
The Job Status page appears. Table 66 on page 108 describes the fields on the Job
Status page.
4. Click OK to return to the previous page.
Table 64: Fields on the ZTP History Page
Field
Description
In progress
View the number of activated tasks that are in progress.
Success
View the number of activated tasks that are successful.
Failure
View the number of activated tasks that have failed.
Name
View the name of the task.
Example:
csp.tssm_ztp-Juniper-site-17-NFX-250-8052cc9451914be28c7c98fb64fd0db3
Start Date
View the start date and time of the task.
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task succeeded or failed.
Log
View the import logs. Click a log to access more detailed information about
the imported log.
Table 65: Fields on the ZTP Logs Page
Field
Description
Task ID
View the ID created for the task.
Example: 3f9860ae-dd8f-4579-9357-29c42ab33a07/9
Status
View the status of the task to know whether the task succeeded or failed.
Table 66: Fields on the Job Status Page
Field
Description
Name
View the name of the task.
Actual Start Time
View the start date and time of the task.
User
View the name of the user who activated the task.
End Time
View the end date and time of the task.
108
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Managing Devices
Table 66: Fields on the Job Status Page (continued)
Field
Description
State
View the status of the task to know whether the task succeeded or failed.
Related
Documentation
•
Activating a CPE Device on page 392
Copyright © 2018, Juniper Networks, Inc.
109
Contrail Service Orchestration User Guide
110
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 12
Managing Device Templates
•
About the Device Template Page on page 111
•
Cloning a Device Template on page 115
•
Importing a Device Template on page 116
•
Configuring a Device Template on page 118
•
Modifying a Device Template Description on page 124
•
Deleting a Device Template on page 125
About the Device Template Page
To access this page, click Resources > Device Templates.
A device template contains configuration and provisioning instructions for a physical
device that you manage through Contrail Service Orchestration (CSO), such as a CPE
device or a router. The CSO installation includes several device templates for CPE devices
and other physical devices. The device templates for non-CPE devices are fixed and you
cannot customize them. You assign a device template to this type of device in CSO when
you add it to a point of presence (POP). The CPE device templates are specific to the
type of device and topology of the solution. You must assign a device template to each
CPE device at each site in a distributed deployment. The CPE device templates contain
three types of information:
•
Template settings information prepares the device for remote activation, connects
the device to the peer MX Series router, and establishes an IPsec tunnel with the router.
•
Stage-2 configuration template information specifies the additional settings that you
or your customer can configure for the device. For example, you can enable configuration
of a LAN and firewall policies. You create these configuration templates in Configuration
Designer and provide implementation details in the device template.
•
Stage-2 initial configuration information provides the actual values for the stage-2
configuration templates. In general, your customers perform this configuration through
Customer Portal.
In some cases, however, you might want all CPE devices to use the same values, and you
have the option to provide those values through the device template. You can use the
default CSO CPE device templates if they are suitable for the topology of your solution.
Copyright © 2018, Juniper Networks, Inc.
111
Contrail Service Orchestration User Guide
You can also customize the default device templates or create your own device templates
and upload them to CSO.
The device templates support the following deployment models:
•
MPLS WAN with Internet backup—Device templates NFX_deployment_option_1 and
SRX_deployment_option_1 support this deployment model.
•
Secure WAN over Internet—Device template NFX_deployment_option_4 supports this
deployment model.
•
CPE for a Managed Internet Service—Device templates NFX_Managed_Internet_CPE
and SRX_Managed_Internet_CPE support this deployment model.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Clone a device template. See “Cloning a Device Template” on page 115.
•
Import a device template from a file. See “Importing a Device Template” on page 116.
•
Configure a device template. See “Configuring a Device Template” on page 118.
•
Modify a device template description. See “Modifying a Device Template Description”
on page 124.
•
Delete a device template. See “Deleting a Device Template” on page 125.
•
View details about a device template. See “Viewing Object Details” on page 14.
•
Show or hide columns about the templates. See “Sorting Objects” on page 15.
•
Search an object about the templates. See “Searching for Text in an Object Data Table”
on page 15.
Field Descriptions
Table 67 on page 113 describes the fields on the Device Templates page.
112
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Managing Device Templates
Table 67: Fields on the Device Templates Page
Field
Description
Template Name
View the name of the device template.
Description
•
Juniper-MX-MIS—Customized device template for an MX Series router that
prevents the creation of black holes when an administrative user activates a
service at a site. Select this option only if you have been advised to do so by
Juniper Networks.
•
SDN-GW-MX—Default template for MX Series router. Select this option for
MX Series routers in centralized and distributed deployments.
•
SRX_Basic_SDWAN_HUB—Device template for an SRX Series Services
Gateway used as a hub that offers basic SD-WAN functionality in a distributed
deployment. Select this option only if you have been advised to do so by
Juniper Networks.
•
SRX_deployment_option_1—Device template for an SRX Series Services
Gateway or a vSRX used as a CPE device in a distributed deployment.
•
SRX_Managed_Internet_CPE—Device template to manage SRX Series Services
Gateway devices for a managed internet service.
•
NFX_deployment_option_1—Device template for an NFX250 device in a
distributed deployment. This template supports port-forwarding with a
CSO-initiated connection.
•
NFX_deployment_option_4—Device template for an NFX250 device in a
distributed deployment. This template supports outbound SSH, which is the
device-initiated connection, with port-forwarding capability.
•
NFX_Managed_Internet_CPE—Device template to manage an NFX250 device
for a managed Internet service.
•
SRX_Advanced_SDWAN_CPE_option_1—Device template for an SRX Series
Services Gateway spoke in an SD-WAN deployment with hub-spoke topology.
•
SRX_Advanced_SDWAN_HUB_option_1—Device template for an SRX Series
Services gateway hub in an SD-WAN deployment with hub-spoke topology.
•
VRR_Advanced_SDWAN_option_1—Device template for an SD-WAN
deployment with hub-spoke topology.
•
NFX_Advanced_SDWAN_CPE_option_1—Device template for an NFX250
device that you use for an SD-WAN deployment with SP-managed hub-spoke
topology.
•
NFX_SDWAN_SUPPORT—Device template for an NFX250 device that you
use for an SD-WAN deployment.
•
SRX_SDWAN_SUPPORT—Device template for an SRX Series Services
Gateway with an SD-WAN deployment.
View the description of the device template.
Example: NFX250 device deployed as a CPE device with SD-WAN capability.
Assigned to
View the number of tenant sites using the device template.
Example: 2 Tenants (2 Sites)
Workflows
View the number of workflows used in the device template.
Example: 7
Copyright © 2018, Juniper Networks, Inc.
113
Contrail Service Orchestration User Guide
Table 67: Fields on the Device Templates Page (continued)
Field
Description
Target Family
View the name of the device family for which the device template is created.
Example: juniper-srx
Last Updated
View the date and time when the device template was last updated.
Example: 05/23/2017 06:22
The list of device templates and their default configurations are listed in
Table 68 on page 114 and Table 69 on page 114.
Table 68: Device Templates Supported on NFX250 Device
Device Template Name
NFX_deployment_
option_1
NFX_Managed_
Internet_CPE
NFX_deployment_
option_4
NFX_Advanced_
SDWAN_CPE_option_1
AUTO_DEPLOY_STAGE2_CONFIG
Disabled
Disabled
Disabled
Disabled
ZTP_ENABLED
—
—
—
—
PRE-STAGED-CPE
—
—
—
—
ACTIVATION_CODE_ENABLED
Enabled
Enabled
Enabled
Enabled
OOB_OAM_Port
—
—
—
—
S2_MODEL_HUGEPAGE_COUNT
21
21
21
13
S1_MODEL_HUGEPAGE_COUNT
9
9
9
5
USE_SINGLE_SSH_TO_NFX
Enabled
Enabled
Enabled
Disabled
ENC_ROOT_PASSWORD
Specified
Specified
Specified
Specified
WAN Port Names
WAN_0 ge-0/0/10
WAN_0
ge-0/0/10
WAN_0 ge-0/0/10
WAN_0 ge-0/0/10
WAN_1 ge-0/0/11
WAN_1 ge-0/0/11
WAN_2 xe-0/0/12
WAN_3 xe-0/0/13
Table 69: Device Templates Supported on SRX Series Services Gateways
Device Template Name
SRX_Managed_
Internet_CPE
SRX_deployment_
option_1
SRX_Advanced_
SDWAN_CPE_option_1
SRX_Advanced_
SDWAN_HUB_option_1
AUTO_DEPLOY_STAGE2_CONFIG
Disabled
Disabled
Disabled
Disabled
ZTP_ENABLED
Enabled
Enabled
Disabled
Disabled
114
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Managing Device Templates
Table 69: Device Templates Supported on SRX Series Services Gateways (continued)
PRE-STAGED-CPE
Enabled
—
—
—
ACTIVATION_CODE_ENABLED
Disabled
Disabled
Disabled
Disabled
OOB_OAM_Port
fxp0
fxp0
fxp0
fxp0
USE_SINGLE_SSH_TO_NFX
—
—
—
—
S2_MODEL_HUGEPAGE_COUNT
—
—
—
—
S1_MODEL_HUGEPAGE_COUNT
—
—
—
—
ENC_ROOT_PASSWORD
—
—
—
—
WAN Port Names
WAN_0
ge-0/0/0
WAN_0 ge-0/0/0
WAN_0 ge-0/0/0
WAN_0 ge-0/0/0
WAN_1 ge-0/0/1
WAN_1 ge-0/0/1
WAN_1 ge-0/0/1
WAN_2 ge-0/0/2
WAN_2 ge-0/0/2
WAN_3 ge-0/0/3
WAN_3 ge-0/0/3
Related
Documentation
•
Creating a Single POP on page 57
•
Creating Devices on page 87
Cloning a Device Template
Cloning a device template is useful when you want to create a device template that is
similar to an existing one but with small differences. You can clone a device template by
using either of the methods mentioned below:
To clone a device template:
1.
Select Resources > Device Templates.
The Device Template page appears.
2. Select the device template that you want to clone, and click Clone.
The Clone Template page appears.
3. Specify an appropriate name for your new device template. For example,
SRX_Advanced_SDWAN_CPE_option_1_Custom.
4. Click Ok.
The cloned device template appears on the Device Template page. You can now edit
the new device template and customize the configurations as needed.
Copyright © 2018, Juniper Networks, Inc.
115
Contrail Service Orchestration User Guide
You can also clone the device template by performing the following procedure:
1.
Select Resources > Device Templates.
The Device Template page appears.
2. Select the device template that you want to clone, and then select Edit Device
Template > Template Settings.
The Template Settings page appears.
3. Modify the configurations as required and click Save As.
The Create Device template page appears.
4. Specify an appropriate name for your new device template. For example,
SRX_Advanced_SDWAN_CPE_option_1_Custom.
5. Click Ok.
The cloned device template appears on the Device Template page. You can now edit
the new device template and customize the configurations as needed.
Related
Documentation
•
Importing a Device Template on page 116
Importing a Device Template
Use the Resources > Device Templates page to import a device template in JSON format
for the customer.
NOTE: You must create a device template file before you can import a device
template
•
Creating a Device Template File on page 116
•
Importing a Device Template File on page 117
Creating a Device Template File
To create a file of device information:
1.
Select Resources > Device Templates > Import Device Template.
The Import Device Template page appears.
2. Click the Download Sample JSON link to open and save the sample JSON data file.
The sample file opens at the bottom of the page.
116
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Managing Device Templates
3. Save the template file with an appropriate name to your computer.
NOTE: You must retain the file format as .json to successfully upload the
device template details to the Administration Portal.
4. Customize the sample JSON file according to the deployment.
5. Save the customized file.
Importing a Device Template File
Device templates are used to configure cloud CPE devices on a tenant site and these
templates must be assigned to the device before you activate the device.
NOTE: A device template data file is required before your import device
templates.
To import device template configuration:
1.
Select Resources > Device Templates > Import Device Template.
The Import Device Template page appears.
2. Click Browse and navigate to the directory containing the device template configuration
JSON file.
3. Select the file and click Open.
4. Click Import Device Templates. If you want to discard the import process, click Cancel
instead.
The Device Templates Import Completed page appears with the details of the
successful import.
5. Click OK to complete the import process.
The imported device template is displayed on the Device Template page.
Related
Documentation
•
Creating a Single POP on page 57
Copyright © 2018, Juniper Networks, Inc.
117
Contrail Service Orchestration User Guide
Configuring a Device Template
Device templates contain global parameters and workflows. Global parameters are a
set of variables that can be customized easily.
•
Configuring Template Settings in a Device Template on page 118
•
Updating Stage-2 Configuration Template in a Device Template on page 120
•
Configuring Stage-2 Initial Configuration on page 123
Configuring Template Settings in a Device Template
To configure the device template settings:
1.
Select Resources > Device Template.
The Device Templates page appears.
2. Select a device template for which you want to configure the settings and then select
Edit Device Template > Template Settings.
The Template Settings page appears.
3. Complete the configuration settings according to the guidelines provided in
Table 70 on page 118.
4. Click Save.
Table 70: Fields on the Template Settings Page
Name
Description
Customer Parameters
AUTO_DEPLOY_STAGE2_CONFIG
Specify whether to automatically deploy stage-2 configuration
at the end of the Zero Touch Provisioning (ZTP) workflow.
Example: Enabled
ZTP_ENABLED
Specify whether to enable ZTP for the device.
NOTE: This option is supported on SRX Series Services
Gateways only.
Example: Enabled
PRE_STAGED_CPE
Specify whether the CPE device is prestaged with WAN
configuration.
NOTE: This option is supported on SRX Series Services
Gateways only.
Example: Enabled
118
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Managing Device Templates
Table 70: Fields on the Template Settings Page (continued)
Name
Description
ACTIVATION_CODE_ENABLED
Specify whether the customer must use an activation code to
activate the CPE device.
Example: Enabled
OOB_OAM_Port
Specify the name of the port used for out-of-band Operation,
Administration, and Maintenance (OAM) traffic. This port is
used in deployments where OAM and data traffic are on
separate physical ports.
NOTE: This option is supported on SRX Series Services
Gateways only.
Example: fxp0
S2_MODEL_HUGEPAGE_COUNT
Specify the number of 1-GB huge pages to be used by the VNFs
on an NFX250-S2 device with a total memory of 32 GB.
Example: 21
USE_SINGLE_SSH_TO_NFX
Specify whether to enable device-initiated connections
(outbound SSH) with port-forwarding capability. Port
forwarding enables Contrail Service Orchestration to manage
an NFX250 device through a single IP address.
Example: Enabled
S1_MODEL_HUGEPAGE_COUNT
Specify the number of 1-GB huge pages to be used by the VNFs
on an NFX250-S1 device with a total memory of 16 GB.
Example: 21
VNF_OAM_TRANSLATED_PORT_START
Specify the first port number that can be used to expose a port
on the gateway router’s OAM or WAN interface through port
translation. Use this option in cases where the VNF does not
have its own OAM IP address from the in-band OAM network.
ENC_ROOT_PASSWORD
Specify the Junos OS-encrypted root password to be set on an
NFX250 device.
Example: *****************
WAN Port Names
Specify the mapping Junos OS interface descriptors for the
hardware ports. The RJ-45 port is the default port for the
NFX250 device. You can change the default port if you want
to use a different type of connector, such as SFP.
GWR_LAN_PORT
Specify the mapping of the gateway router’s LAN port names
to the corresponding front panel physical port names on the
NFX250 device. Currently, the logical ports are created on the
ge-0/0/4 interface.
JCP_LAN_PORT_NAMES
Specify the port names from LAN_0 through LAN_9.
Copyright © 2018, Juniper Networks, Inc.
119
Contrail Service Orchestration User Guide
Table 70: Fields on the Template Settings Page (continued)
Name
Description
GWR_LAN_PORT_NAMES
Specify the port names from LAN_0 through LAN_9.
LAN_PORT_NAMES
Specify the port names from LAN_0 through LAN_10.
Updating Stage-2 Configuration Template in a Device Template
Each device template has a set of configuration templates that can be used to deploy
additional configuration on to the CPE device after it is activated. These templates are
known as stage-2 configuration templates. You can add or remove stage-2 configuration
templates from a device template.
NOTE: By default, the CPE device configuration is not supported on the CPE
device. If you need the CPE device configuration, then you must configure it
through stage-2 configuration in the device templates.
To add a stage-2 configuration template:
1.
Select Resources > Device Template.
The Device Templates page appears.
2. Select a device template for which you want to add the stage-2 configuration and
select Edit Device Template > Stage-2 Config Templates.
The Stage-2 Configuration Templates page appears. Table 71 on page 120 lists the
fields (and their descriptions) on the Stage-2 Configuration Templates page.
3. Click the add icon (+) and complete the configuration settings according to the
guidelines provided in Table 72 on page 121.
4. Click Save.
The new stage-2 configuration template is included in the device template.
Table 71: Fields on the Stage-2 Configuration Templates Page
Name
Description
Name
View the name of the stage-2 configuration template.
Example: LAN side config
Family
View the name of the device family.
Example: juniper-srx
120
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Managing Device Templates
Table 71: Fields on the Stage-2 Configuration Templates Page (continued)
Name
Description
Component Name
View the name of the component through which the settings are configured. The components
that are currently supported are:
•
JUNOS—Supported on SRX Series Services Gateway.
•
Juniper Device Manager (JDM)—Supported on NFX250 device. JDM is a Linux container
that manages software components.
•
Juniper Control Plane (JCP)—Supported on NFX250 device. JCP is the Junos VM running
on the hypervisor. Administrators can use JCP to configure the network ports of the NFX250
device. JCP is used to configure the switching and routing function on the NFX250 device.
•
Gateway Router (GWR)—Supported on NFX250 device. vSRX as a gateway provides the
same capabilities as Juniper Networks SRX Series Services Gateways in a virtual form
factor, providing perimeter security, IPsec connectivity, and filtering for malicious traffic
without sacrificing reliability, visibility, or policy control. This virtual security and routing
appliance ensures reliability and high availability for each application.
Example: JUNOS
Hide
Displays whether the template is hidden on Customer Portal.
•
true—Template is not visible on Customer Portal.
•
false—Template is visible on Customer Portal.
Example: false
Table 72: Fields on the Add New Template Page
Name
Description
Template
Select the configuration template from the drop-down list. The configuration templates are
designed in the Configuration Designer tool.
Example:srx-basic-sdwan-cpe-config
Display Name
Specify the name of the template that you want to display on the configuration interface.
Example: SDWAN Config
Component Name
Specify the component name through which the settings are configured. The components
that are currently supported are:
•
JUNOS—Supported on SRX Series Services Gateway.
•
Juniper Device Manager (JDM)— Supported on NFX250 device. JDM is a Linux container
that manages software components.
•
Juniper Control Plane (JCP)—Supported on NFX250 device. JCP is the Junos VM running
on the hypervisor. Administrators can use JCP to configure the network ports of the NFX250
device. JCP is used to configure the switching and routing function on the NFX250 device.
•
Gateway Router (GWR)—Supported on NFX250 device. vSRX as a gateway provides the
same capabilities as Juniper Networks SRX Series Services Gateways in a virtual form
factor, providing perimeter security, IPsec connectivity, and filtering for malicious traffic
without sacrificing reliability, visibility, or policy control. This virtual security and routing
appliance ensures reliability and high availability for each application.
Example: JUNOS
Copyright © 2018, Juniper Networks, Inc.
121
Contrail Service Orchestration User Guide
Table 72: Fields on the Add New Template Page (continued)
Name
Description
Hide
Specify whether you want to hide the configuration template on Customer Portal. You might
want to choose to hide the template if you are reusing the template for multiple components.
•
hide—White dot on right with blue background.
•
show—White dot on left with gray background.
Example: hide
Copy From Template
If you have chosen to hide the configuration template on the user interface, then specify the
template from which you want to copy the settings.
Example: srx-mis-lan-to-wan-config
To remove a stage-2 configuration template:
1.
Select Resources > Device Templates.
The Device Templates page appears.
2. Select the device template for which you want to remove the stage-2 configuration
and then select Edit Device Template > Stage-2 Config Templates.
The Stage-2 Config Templates page appears.
3. Select a configuration template and click the delete icon (X).
A page requesting confirmation for the deletion appears.
4. Click Yes to confirm that you want to delete the stage-2 configuration template.
The configuration template is deleted.
122
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Managing Device Templates
Configuring Stage-2 Initial Configuration
In general, the tenant administrators initiate stage-2 configuration through Customer
Portal. However, in certain cases, the same stage-2 configuration needs to be deployed
to CPE devices in all sites that are activated using a specific device template. In such
cases, you can attach an initial configuration to a stage-2 config template of a device
template. When a new CPE device in the site is activated using the device template, the
initial configuration is automatically deployed to the CPE device.
The list of initial configurations that are supported are:
•
Policies configuration
•
LAN configuration
•
SD-WAN configuration
•
Routing configuration
To update an initial configuration for stage-2 configuration template:
1.
Select Resources > Device Templates.
The Device Templates page appears.
2. Select the device template for which you want to configure the stage-2 configuration
and then select Edit Device Template > Stage-2 Initial Config.
The Stage-2 Initial Configuration page appears, listing the existing settings.
3. Complete the configuration settings according to the guidelines provided in
Table 73 on page 123, Table 74 on page 124, and Table 75 on page 124.
4. Click Ok.
Table 73: Fields for the VLAN Settings on the Stage-2 Initial Configuration Page
Field
Description
VLAN ID
Specify the identifier for the Layer 2 VLAN for the CPE device.
Example: 230
IRB IP Prefix
Specify the IP address, including the subnet prefix, and the integrated routing
and bridging (IRB) interface on the CPE device.
Example: 192.0.2.15/24
LAN Ports
Specify the LAN ports on the CPE device.
Example: ge-0/0/0
Copyright © 2018, Juniper Networks, Inc.
123
Contrail Service Orchestration User Guide
Table 74: Fields for the LAN Settings on the Stage-2 Initial Configuration Page
Field
Description
LAN port
Specify the LAN ports on the CPE device.
Example: ge-0/0/0
IP Address
Specify the IP address on the CPE device.
Example: 192.0.2.255
Table 75: Fields for the SRX Basic SD-WAN Settings on the Stage-2 Initial Configuration Page
Field
Description
Manage App Group
Click to manage the application groups. The application group is predefined
in the system for all SRX Series and vSRX configuration settings. The settings
are preloaded and displayed on the portal. You can also create new application
groups.
Manage App SLA Profile
Click to manage the application service-level agreements (SLA) profiles.
Rule Name
Specify the rule name.
Example: critical-apps
Application/Groups
Specify the applications or application groups for the rule.
Example: Oracle, SAP
Application SLA Profile
Specify the application SLA profile for the rule.
Example: critical-apps
See Also
•
About the Device Template Page on page 111
Related
Documentation
•
Modifying a Device Template Description on page 124
Modifying a Device Template Description
The device template description provides a brief overview about the supported platform,
tenant, site, deployment model, and additional features supported through the template.
To modify the description of the device template:
1.
Select the device template that you want to modify, and click the edit icon.
The Edit Device template page appears.
124
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Managing Device Templates
2. Enter a meaningful description for the device template. For example: NFX250 deployed
as a CPE device with SD-WAN capability.
3. Click Ok to save the changes.
The description that you updated is listed in the device template table.
Related
Documentation
•
About the Device Template Page on page 111
Deleting a Device Template
Before deleting a device template, ensure that the template is not associated with any
tenant site or a CPE device.
To delete a device template file:
1.
Select Resources > Device Templates.
The Device Template page appears.
2. Select the device template that you want to delete and click Delete.
A page requesting confirmation for the deletion appears.
3. Click Yes to confirm that you want to delete the device template.
The device template is deleted.
Related
Documentation
•
About the Device Template Page on page 111
Copyright © 2018, Juniper Networks, Inc.
125
Contrail Service Orchestration User Guide
126
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 13
Managing Software Images
•
Device Images Overview on page 127
•
About the Device Images Page on page 128
•
Deploying Device Images to Devices on page 129
•
Uploading a Device Image on page 131
•
Deleting Device Images on page 133
Device Images Overview
An image management system provides full lifecycle management of images for all
network devices, including CPE device and virtualized network function (VNF) images.
A device image is a software installation package for the CPE device or an image for a
virtual application that runs on the device. For example, for a NFX Series device platform,
you require an NFX software image and a software image for the vSRX application that
provides security functions and routing on the device. You install a VNF image on a CPE
device or on a server in a service provider’s cloud to deploy the VNF in that location.
Administration Portal enables you to upload both CPE device and VNF images from your
local file system and deploy them on a single device or simultaneously on multiple devices
of the same family. CPE device images include software images for the NFX Series, MX
Series, and SRX Series. You can download software images from Junos Platforms Download Software.
After you upload a CPE device or VNF image, you can stage the image on a device, verify
the checksum, and deploy the staged image using the Deploy option from the Images
page. You can also schedule the staging, deployment, and validation of a device image.
In addition, you can modify the platforms supported by the device image and the
description of the device image.
You can store all the images in a central repository and use a file service to retrieve images
from the file server when the image needs to be deployed to the devices.
Related
Documentation
•
About the Device Images Page on page 128
Copyright © 2018, Juniper Networks, Inc.
127
Contrail Service Orchestration User Guide
About the Device Images Page
To access this page, click Resources > Images.
You can use the Device Images page to view uploaded device images for physical and
virtual devices and upload device images from your local file system. You can deploy
device images on a single device or simultaneously on multiple devices of the same
family. See “Device Images Overview” on page 127.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Upload device images. See “Uploading a Device Image” on page 131.
•
Deploy device images. See “Deploying Device Images to Devices” on page 129.
•
View details about a device image. Click the details icon that appears when you hover
over the name of an image or click More > Details. See “Viewing Object Details” on
page 14.
•
Show or hide columns that contain information about the device image. See “Sorting
Objects” on page 15.
•
Search an object for a device image. See “Searching for Text in an Object Data Table”
on page 15.
•
View the history of image upgrade. Click Image Upgrade History > Upgrade History at
the top right corner of a page. See Table 77 on page 129.
Field Descriptions
Table 76 on page 128 shows the fields on the Device Images page.
Table 76: Fields on the Images Page
Field
Description
Image Name
View the name of the device image.
Example: juniper_srx_v1.tgz
Type
View the type of the device image.
Example: VNF Image
Version
View the version number of the device image.
Example: 1.1
Vendor
View the vendor name of the device.
Example: Juniper
128
Copyright © 2018, Juniper Networks, Inc.
Chapter 13: Managing Software Images
Table 76: Fields on the Images Page (continued)
Field
Description
Size
View the size of the device image.
Example: 14 KB
Table 77 on page 129 shows fields on the Upgrade History page.
Table 77: Fields on the Upgrade History Page
Field
Description
In progress
View the number of image upgrade tasks that are in progress.
Success
View the number of image upgrade tasks that are successful.
Failure
View the number of image upgrade tasks that have failed.
Name
View the name of the task.
Start Date
View the start date and time of the task.
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task succeeded or failed.
Log
View the import logs. Click a log to access more detailed information about the upgrade
images.
Related
Documentation
•
Uploading a Device Image on page 131
•
Deploying Device Images to Devices on page 129
Deploying Device Images to Devices
Use the Device Images page to view a list of physical and virtual devices that are relevant
to the selected image. You can deploy an image on a single device or multiple devices
on a per-site basis or across all sites of a tenant. A device can be a CPE device or a virtual
network function (VNF). You can also schedule the deployment of images.
To deploy a device image to the device:
1.
Select Resource > Images.
The Images page appears.
2. Select the device image to be deployed on the device and then click the Deploy button.
Copyright © 2018, Juniper Networks, Inc.
129
Contrail Service Orchestration User Guide
The Deploy Image: Select Devices page appears and a list of compatible devices (CPE
and VNF) for the selected image is retrieved and displayed with their associated
information in the page. See Table 78 on page 130 for the details of the device.
NOTE: The Deploy button is enabled only for the device images.
4. Select one or more devices on which the device image needs to be deployed and
schedule a date and time for image deployment.
Table 78: Fields on the Deploy Image: Select Devices Page
Field
Description
Device Name
View the name of the device configured in the point of presence (POP) or site.
Example: sunny-NFX-250
Tenant
View the name of the tenant.
Example: tenant-blue
Site Name
View the name of the tenant site.
Example: site-blue-white
Location
View the name of the location.
Example: San Jose, CA
WAN Links
View the number of WAN links.
Example: 3
POP Name
View the name of the POP.
Example: pop_blue
Management Status
Model
View the management status of the devices deployed in the cloud.
•
EXPECTED—Regional server has activation details for the device, but the device has not
yet established a connection with the server.
•
ACTIVE—Device has downloaded images, but is not yet configured.
•
PROVISIONED—IPsec tunnel on the NFX250, SRX, or vSRX device is operational.
•
PROVISION_FAILED—Device failed if the vSRX was not instantiated properly.
View the name of the device model.
Example: NFX250
Active Services
View the number of services that are activated for the device.
Example: 3
130
Copyright © 2018, Juniper Networks, Inc.
Chapter 13: Managing Software Images
Table 78: Fields on the Deploy Image: Select Devices Page (continued)
Field
Description
Choose Deployment Type
Run now
Select this option if you want to deploy the image to the device immediately.
Schedule at a later time
Select this option to schedule the image deployment for a later date and time.
Related
Documentation
•
About the Device Images Page on page 128
Uploading a Device Image
On the Images page, you can upload image files for CPE and VNF devices that you use
in a distributed, centralized, or combined deployment from the Images page. You can
also add some metadata about the device image file that you upload to the device.
To upload a device image for the device:
1.
Click Resources > Images.
The Images page appears.
2. Click the add icon (+).
The Upload Image page appears.
3. Enter the required details in the fields on the Upload Image page. See the field
descriptions in Table 79 on page 131.
4. Click Upload. If you want to discard the upload device image process, click Abort
instead.
: The Upload Image page displays the progress of the image upload.
5. Click OK to save the changes.
You are returned to the Images page.
Table 79: Fields on the Upload Device Image Page
Field
Description
Name
Specify the filename for the device image that you are uploading.
Example: juniper_nfx_250_v1.tgz
Copyright © 2018, Juniper Networks, Inc.
131
Contrail Service Orchestration User Guide
Table 79: Fields on the Upload Device Image Page (continued)
Field
Description
Image Type
Specify the type of device image.
•
Device Image—Software image for the physical device (CPE).
•
VNF Image—Software image for the virtual device (VNF).
•
VNF Script—Provision script for the VNF image.
•
EMS Plugin Package—EMS plugin package to support a new device family.
•
Device Extension Package—Extension software package that can be installed
on the device.
•
Boot Config Image—Boot configuration ISO image that can be used to boot
up the VNF or virtual device.
•
Telemetry Agent Package—Installable package containing telemetry agent to
run on a device. For example, NFX.
Yes
•
VNFM Plugin Package—Installable package containing VNF Manager (VNFM)
plugin specific to a certain set of VNFs.
Description
Enter a description of the device image.
File Location
Click Browse to navigate to the file location in your local system and select an
image file to upload.
Vendor
Specify the vendor name of the device.
Example: Juniper Networks.
Family
Specify the name of the device family.
Example: NFX
Supported Platform
Specify the platform supported by the device image.
Example: NFX250
Major Version Number
Specify the major version of the device image.
Example: 12
Minor Version Number
Specify the minor version of the device image.
Example: 1
Build Number
Specify the build name of the device image.
Example: X53-D102.2
Related
Documentation
132
•
Device Images Overview on page 127
•
About the Device Images Page on page 128
Copyright © 2018, Juniper Networks, Inc.
Chapter 13: Managing Software Images
Deleting Device Images
You can delete one or more device images from the Images page.
To delete a device image:
1.
Select Resources > Images.
The Images page appears with a list of device images.
2. Select the device image that you want to delete and then click the X icon.
The Confirm Delete page appears.
3. Click Yes to confirm.
The device image is deleted.
Related
Documentation
•
About the Device Images Page on page 128
Copyright © 2018, Juniper Networks, Inc.
133
Contrail Service Orchestration User Guide
134
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 14
Configuring Network Services
•
Network Services Overview on page 135
•
About the Network Services Page on page 136
•
About the Service Overview Page on page 138
•
About the Service Instances Page on page 139
•
Configuring VNF Properties on page 141
•
Assigning a Service to Tenants on page 141
•
Removing a Service from Tenants on page 142
•
Viewing a Service Configuration on page 142
•
vSRX VNF Configuration Settings on page 143
•
LxCIPtable VNF Configuration Settings on page 150
•
Cisco CSR-1000v VNF Configuration Settings on page 153
•
Riverbed Steelhead VNF Configuration Settings on page 154
•
Silver Peak VX VNF Configuration Settings on page 155
•
Managing a Single Service on page 155
Network Services Overview
A network service is a final product offered to end users with a full description of its
functionality and specified performance.
Administrative users deploy network services between two locations in a virtual network,
so that traffic traveling in a specific direction on that link is subject to action from that
service. The term network service is defined in the ETSI Network Functions Virtualization
(NFV) standard.
A network service consists of a service chain of one or more linked network functions,
which are provided by specific virtualized network functions (VNFs), with a defined
direction for traffic flow and defined ingress and egress points. The term service chain
refers to the structure of a network service, and although not defined in the ETSI NFV
standard, this term is regularly used in NFV and software-defined networking (SDN).
Copyright © 2018, Juniper Networks, Inc.
135
Contrail Service Orchestration User Guide
A network service designer creates network services in Network Service Designer. When
the designer publishes the service to the network service catalog from Network Service
Designer, administrators can see the network service in Administration Portal.
Related
Documentation
•
About the Network Services Page on page 136
About the Network Services Page
To access this page, click Configuration > Network Services.
You can use the Services page to view the complete list of network services that service
designers have published to the network service catalog from Network Service Designer
and to view information about the services. For an introduction to network services, see
“Network Services Overview” on page 135.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Quickly view important data about services and about instances of those services
deployed at customers’ sites in the widgets that appear at the top of the page. See
Table 80 on page 136.
•
Assign a service to one or more tenants. See “Assigning a Service to Tenants” on page 141.
•
Remove a service from one or more tenants. See “Removing a Service from Tenants”
on page 142.
•
View full information about a service and about instances of a service at customer
sites. Click the name of a service in the list. See “About the Service Instances Page” on
page 139.
Field Descriptions
Table 80 on page 136 shows the descriptions of the widgets that appear at the top of the
Services page.
Table 80: Widgets on the Services Page
Widget
Description
Top Network Services Used
View the numbers of instances of the three services that are most used by tenants in
the network.
This view might help you to identify trends for network services, especially when you
introduce a new service.
Services with Critical Alerts
View the top three network services that are receiving maximum number of critical
alerts in the network.
Top Services by POP CPU Usage
View the top three network services that are using the largest percentage of CPU from
the assigned cores in the network.
136
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
Table 81 on page 137 shows the descriptions of the fields on the Network Services page.
Table 81: Fields on the Services Page
Field
Description
Name
View the name of the networkservice.
Click the name to view full information about a service.
Tenants
View the number of tenants and the names of the tenants that have access to this netowkr service.
•
View the name of the first tenant that used the network service (left of the table cell).
•
View the additional number of tenants using this network service (right of the table cell).
•
Hover over the additional number of tenants to view a complete list of all the tenants using this
network service.
Sites
View the total number of sites at which the network service is deployed for the tenant.
Instances
View the total number of occurrences of the network service that administrative users have activated
for the tenant.
Last Update
View the date on which the network service designer last modified the service.
Table 82 on page 137 shows the descriptions of the fields on the Detail for Service-Name
page.
Table 82: Fields on the Service Detail Page
Field
Description
General Information
Type
View the category of service.
Configuration
View the settings that the network service designer or you have configured for this service.
Version
View the version number of the network service.
State
View the status of the network service.
Example: Published
Performance Goals
Related
Documentation
View performance of the network service which include bandwidth, number of sessions,
and latency.
•
Network Services Overview on page 135
•
About the Service Overview Page on page 138
•
About the Service Instances Page on page 139
•
Assigning a Service to Tenants on page 141
Copyright © 2018, Juniper Networks, Inc.
137
Contrail Service Orchestration User Guide
•
Removing a Service from Tenants on page 142
•
Viewing Object Details on page 14
About the Service Overview Page
To access this page, click Configuration > Network Services > Service Name > Overview.
You can use the Service Overview page to view information about a service that the
service designer has published to the network service catalog from Network Service
Designer.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View administrative details about the service. See General Information in
Table 83 on page 138.
•
View resources required for the service and its performance specification. See Service
Requirements and Service Performance in Table 83 on page 138.
•
View the service chain, with its constituent VNFs. See Service Configuration in
Table 83 on page 138.
Field Descriptions
Table 83 on page 138 provides guidelines on using the fields on the Service Overview page.
Table 83: Fields on the Service Overview Page
Field
Description
General Information
Description
View a summary about the service’s capabilities.
The network service designer provides this summary.
State
Tenants
View the state of the network service:
•
Discontinued—Service is no longer available for customers.
•
Published—Service designer has published service to network catalog, and it is available for
customers.
View the number of tenants using this service.
Service Requirements
CPU
View the number of CPUs that the service needs (cores).
Memory
View the amount of RAM that the service needs in gigabytes (GB).
138
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
Table 83: Fields on the Service Overview Page (continued)
Field
Description
Service Performance
Sessions
View the number of sessions concurrently supported by one instance of the service.
Bandwidth
View the data rate for the service in megabytes per second (Mbps) or gigabytes per second
(Gbps).
Latency
View the time a packet takes to traverse the service in milliseconds (ms) or nanoseconds (ns).
License cost
Specify the license cost for the network service in USD.
Service Configuration (graphic of the service chain)
I
View the ingress point—the point at which packets enter the service.
E
View the egress point—the point at which packets exit the service.
One or more VNFs
Click to view settings for the VNF. See “vSRX VNF Configuration Settings” on page 143.
The service designer can configure the VNF settings in Network Service Designer and the
administrative user can configure the VNF settings in Customer Portal.
BEST PRACTICE: The network service designer configures settings for the virtual machine (VM)
in which the virtualized network function (VNF) resides and the administrative user configures
settings for the service, such as policies. The service designer can also configure a few example
settings for the service. These example settings should be generic and not network-specific.
Related
Documentation
•
About the Network Services Page on page 136
•
vSRX VNF Configuration Settings on page 143
•
LxCIPtable VNF Configuration Settings on page 150
•
Cisco CSR-1000v VNF Configuration Settings on page 153
•
Silver Peak VX VNF Configuration Settings on page 155
About the Service Instances Page
To access this page, click Configuration > Network Services > Service Name > Instances
You can use the Service Instances page to view information about occurrences of the
service at specific customer sites.
Tasks You Can Perform
You can perform the following tasks from this page:
Copyright © 2018, Juniper Networks, Inc.
139
Contrail Service Orchestration User Guide
•
View details about a service instance. Click the details icon that appears when you
hover over the name of a service. See Table 85 on page 140.
•
Enable or disable a network service or virtualized network function (VNF) recovery.
Select a service instance and click Enable Auto Healing to enable automatic recovery
of a network service or VNF in a centralized deployment. By default, automatic recovery
of a network service or VNFs is enabled. See “Configuring VNF Properties” on page 141.
Field Descriptions
Table 84 on page 140 shows the descriptions of the fields on the Service Instances page.
Table 84: Fields on the Service Instances Page
Field
Description
Name
View the name of the occurrence of a service at a specific tenant site.
Tenant
View the name of the tenant.
Status
View the state of the service at the customer site:
•
Created—Administrative user for the tenant has enabled this service instance, which is active.
•
Blank—Administrative user for the tenant has disabled this service instance.
Site
View the name of the site at which service occurrence is available.
POP
View the POP in which the site is located.
Functions
View network functions that the service offers; for example, Network Address Translation (NAT)
or firewall.
Table 85 on page 140 shows the descriptions of the fields on the Detail for
Service-Instance-Name page.
Table 85: Fields on the Service Instance Details Page
Field
Description
General
Description
View information about this service instance.
This information is generated from data in Customer Portal.
Related
Documentation
140
•
Network Services Overview on page 135
•
About the Network Services Page on page 136
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
Configuring VNF Properties
You can specify whether to enable automatic recovery of a network service or virtualized
network function (VNF) for a network service instance in a centralized deployment.
Enabling automatic recovery of a network service or VNF improves reliability of the
implementation.
Conversely, disabling automatic recovery of a network service or VNF allows you to quickly
investigate a problem with a network service or VNF itself.
To enable or disable automatic recovery of a network service or VNF:
1.
Select Configuration > Network Services > Services Name > Instances.
The Services Instances page appears.
2. Select a service instance for which you want to enable or disable automatic recovery.
3. Click Enable Auto Healing.
The Service Properties page appears.
4. Select whether you want to enable or disable automatic recovery.
NOTE: By default, automatic recovery of a network service or VNF is
enabled.
5. Click Save.
Related
Documentation
•
About the Service Instances Page on page 139
Assigning a Service to Tenants
For a tenant to have access to a service, you must assign the service to the tenant. You
can assign a service to multiple tenants simultaneously; however, you can assign only
one service at a time.
To assign a service to tenants:
1.
Select Configuration > Network Services.
The Network Services page appears.
2. Select the service that you want to assign to the tenants.
Copyright © 2018, Juniper Networks, Inc.
141
Contrail Service Orchestration User Guide
3. Click Assign Services.
The Assign Service to Tenants page appears.
4. Select the tenants to which you want to assign the service.
5. Click OK to save the changes.
Related
Documentation
•
About the Network Services Page on page 136
•
Removing a Service from Tenants on page 142
Removing a Service from Tenants
You can remove a service from one or more tenants simultaneously. You can only remove
one service at a time, however.
To remove a service from tenants:
1.
Click Configuration > Network Services.
The Network Services page appears.
2. Select the service that you want to remove from the tenants.
3. Click Detach Services.
The Detach Service from Tenants page appears.
4. Select the tenants from which you want to remove the service.
5. Click Ok.
Related
Documentation
•
About the Network Services Page on page 136
•
Assigning a Service to Tenants on page 141
Viewing a Service Configuration
The following personnel can configure network services.
•
The network service designer can configure a service in Network Service Designer.
•
The administrative user for the tenant can configure a service in Customer Portal.
Settings that the administrative user configures override any settings that the network
service designer or administrator configure.
142
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
BEST PRACTICE: The network service designer configures settings for the
virtual machine (VM) in which the virtualized network function (VNF) resides
and the administrative user configures settings for the service, such as policies.
The service designer can also configure a few example settings for the service.
These example settings should be generic and not network-specific.
To configure a service:
1.
Select Configuration > Network Services > Service Name > Overview.
The Services Overview page for the service that you selected appears.
2. In the service chain graphic, click the first VNF.
The Service page appears.
3. Click each tab to review the settings.
The Base Configure tab shows the settings for the virtual machine (VM) that contains
the VNF, and the other tabs show the settings for specific functions in the VNF.
Refer to the related topics for the specific VNF settings for details on the configuration
settings.
4. (Optional) Click the next VNF in the service chain graphic to view settings for that
VNF.
5. Click Ok.
Related
Documentation
•
vSRX VNF Configuration Settings on page 143
•
LxCIPtable VNF Configuration Settings on page 150
•
Cisco CSR-1000v VNF Configuration Settings on page 153
•
Silver Peak VX VNF Configuration Settings on page 155
vSRX VNF Configuration Settings
You can configure the vSRX VNF from Configuration > Network Services > Service Name
> Overview > Service Configuration. Your service provider usually configures base settings
for the virtual machine (VM) in which the virtualized network function (VNF) resides and
you configure settings for the service, such as policies.
NOTE: A vSRX firewall virtualized network function (VNF) is always part of
a service chain for a network service on a CPE device.
Use the information in the following tables to provide values for the available settings:
Copyright © 2018, Juniper Networks, Inc.
143
Contrail Service Orchestration User Guide
•
Table 86 on page 144 shows the settings you can configure for the virtual machine (VM)
that contains the VNF.
NOTE: Your service provider usually configures the base settings and you
should not need to change them.
•
Table 87 on page 145 shows the firewall settings you can configure.
•
Table 88 on page 147 shows the network address translation (NAT) settings you can
configure.
•
Table 89 on page 148 shows the unified threat management (UTM) settings you can
configure.
Table 86: Fields for the vSRX Base Settings
Field
Description
Host Name
For a cloud site, specify the hostname of the VM that contains the vSRX VNF. The field has no
limit on the number of characters and accepts letters, numbers, and symbols.
Example: vm-vsrx
For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure
this setting.
Loopback Address
Specify an IPv4 loopback address for the management interface of the VM.
Example: 192.0.2.25
DNS Servers
Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS name
servers.
Example: 192.0.2.35
NTP Servers
Specify the FQDNs or IP addresses of one or more NTP servers.
Example: 192.0.2.45
Syslog Servers
Specify the FQDNs or IP addresses of one or more system log servers.
Example: 192.0.2.55
Enable Re-filter
Select True to enable a stateless firewall filter that protects the Routing Engine from
denial-of-service (DoS) attacks or False to allow DoS attacks.
Example: True
Enable Default Screens
For a cloudsite, select True to enable the default screens security profile for the destination zone
or False to disable default screening.
Example: False
You cannot configure this setting for an on-premise site.
144
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
Table 86: Fields for the vSRX Base Settings (continued)
Field
Description
Time Zone
Specify the time zone for the VM.
Example: UTC
Right Interface
Specify the identifier of the VM interface that transmits data.
Example: ge-0/0/1
For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure
this setting.
Left Interface
Specify the identifier of the VM interface that receives data.
Example: ge-0/0/0
For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure
this setting.
SNMP Prefix List
If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual
Appliance uses for SNMP operations when it discovers the vSRX VNF.
Example: 10.0.2.0/24
Ping Prefix List
If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual
Appliance uses for ping operations when it discovers the vSRX VNF.
Example: 10.0.2.1/24
Space Servers
If you set the Enable Re-filter field to True, specify the IP addresses of the VMs that contain the
Junos Space Virtual Appliances.
Example: 10.0.2.50
Table 87: Fields for the vSRX Firewall Settings
Field
Description
Policy Name
Specify the name of the rule. The field has no limit on the number of characters and accepts letters,
numbers, and symbols.
Example: policy-1
Source Zone
Select the security zone from which packets originate.
•
left—Interface that transmits data to the host
•
right— Interface that receives data transmitted from the host
Zone policies are applied to traffic traveling from one security zone (source zone) to another security
zone (destination zone). This combination of a source zone and a destination zone is called a context.
Example: left
Copyright © 2018, Juniper Networks, Inc.
145
Contrail Service Orchestration User Guide
Table 87: Fields for the vSRX Firewall Settings (continued)
Field
Description
Destination Zone
Select the security zone to which packets are delivered.
•
left—Interface that transmits data to the host
•
right—Interface that receives data transmitted from the host
Zone policies are applied to traffic traveling from one security zone (source zone) to another security
zone (destination zone). This combination of a source zone and a destination zone is called a context.
Example: right
Source Address
Specify the source IP address prefixes that the network service uses as match criteria for incoming traffic.
To add source addresses:
1.
Click the Source Address column.
The source-address page appears.
2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source
IP address for which the application enforces the policy.
3. If you select ipp, specify a prefix.
4. Click OK.
Example: 10.0.2.30
Destination
Address
Specify the destination IP address prefixes that the network service uses as match criteria for outgoing
traffic.
To add a destination address:
1.
Click the Destination Address column.
The destination-address page appears.
2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source
IP address for which the application enforces the policy.
3. If you select ipp, specify a prefix.
4. Click OK.
Example: 192.0.2.0/24
Action
Select permit to transmit packets that match the rule or deny to drop packets that match the rule.
Example: permit
146
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
Table 87: Fields for the vSRX Firewall Settings (continued)
Field
Description
Application
Specify the applications to which the policy applies. The applications are based on protocols and ports.
To specify applications:
1.
Click the Application column.
The application page appears.
2. In the allowed_apps field, select any to match any application or app to choose specific applications.
If you select app, press and hold the Ctrl key and click the required applications from the drop-down
list.
•
junos-tcp-any
•
junos-udp-any
•
junos-ftp
•
junos-http
•
junos-https
•
junos-icmp-all
•
junos-icmp-ping
•
junos-telnet
•
junos-tftp
3. Click OK.
Example:
•
junos-tcp-any
•
junos-udp-any
Table 88: Fields for the vSRX NAT Settings
Field
Guidelines
NAT Source Name
Specify the source IP address of packets that the policy rules match.
Example: 10.0.2.2/24
NAT Destination Name
Specify the destination IP address of packets that the policy rules match.
Example: 10.0.2.3/24
NAT policy settings—For information about the following policy settings, see the firewall policy settings in Table 2.
•
Policy Name
•
Source Zone
•
Destination Zone
•
Source Address
•
Destination Address
•
Action
•
Application
Copyright © 2018, Juniper Networks, Inc.
147
Contrail Service Orchestration User Guide
Table 89: Fields for the vSRX UTM Settings
Field
Description
Antivirus
Select True to check for viruses in application layer traffic against a virus signature database.
Select False to disable checking for viruses.
Example: True
Antispam
Select True to block spam e-mails or False to allow spam e-mails.
Example: True
Antispam Black List
Specify an address blacklist for local spam filtering.
Blacklists contain e-mail addresses from which you do not want to receive messages.
NOTE: When both the whitelist and blacklist are in use, the whitelist is checked first. If there
is no match, then the blacklist is checked.
Example: john@example.net
Antispam White List
Specify an address whitelist for local spam filtering.
Whitelists contain e-mail addresses from which you want to receive messages.
NOTE: When both the whitelist and blacklist are in use, the whitelist is checked first. If there
is no match, then the blacklist is checked.
Example: user@example.net
Antispam Action
Select the antispam action that you want the device to take when it detects spam:
•
block—Blocks the message
•
tag-subject—Tags the subject field with a preprogrammed string
•
tag-header—Tags the message header with a preprogrammed string
Example: block
Content Filter
Select True to block different types of traffic based on the MIME type, file extension, protocol
command, and embedded object type or False to permit these types of traffic.
Example: True
Content Filter Extensions
Specify one or more file extensions to block over HTTP, FTP, SMTP, IMAP, and POP3
connections.
Example: exe, pdf, js
Content Filter Mime
Specify the MIME types to be blocked or permitted over HTTP, FTP, SMTP, IMAP, and POP3
connections.
Example: application, exe
Content Filter Protocol
Commands
Specify commands for HTTP, FTP, SMTP, IMAP, and POP3 protocols to block traffic based
on these commands.
Example: put, mput
148
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
Table 89: Fields for the vSRX UTM Settings (continued)
Field
Description
Content Filter Content Type
Press and hold the Ctrl key and click one or more of the following types of content to specify
filtering of traffic that is supported only for HTTP and is not covered by file extensions or MIME
types:
•
Active X
•
Windows executable files (.exe)
•
HTTP cookie
•
Java applet
•
Zip files
Example: activex, exe
Content Filter Apply To
Press and hold the Ctrl key and click one or more of the following protocols in the drop-down
list to specify filtering of traffic associated with these protocols:
•
HTTP
•
FTP
•
POP3
•
IMAP
•
SMTP
Example: http, ftp
Webfilter
Select True to prevent access to specific websites and embedded object types or False to
permit access to all websites.
Example: True
Web Filter Black List
Specify URLs to create a blacklist of websites to block.
NOTE: A Web filtering profile can contain one whitelist or one blacklist with multiple
user-defined categories, each with a permit or block action.
Example:
Web Filter White List
•
www.example1.com
•
www.example2.com
Specify URLs to create a whitelist of websites that users can always access.
With local Web filtering, the firewall intercepts every HTTP request in a TCP connection and
extracts the URL. The network service then looks up the URL to determine whether it is in the
whitelist or blacklist based on its user-defined category.
NOTE: A Web filtering profile can contain one whitelist or one blacklist with multiple
user-defined categories, each with a permit or block action.
Example: www.example3.net
Copyright © 2018, Juniper Networks, Inc.
149
Contrail Service Orchestration User Guide
Table 89: Fields for the vSRX UTM Settings (continued)
Field
Description
Policy settings—For information about the following policy settings, see the firewall policy settings in Table 2.
•
Source Zone
•
Destination Zone
•
Source Address
•
Destination Address
•
Action
•
Application
Related
Documentation
•
About the Network Services Page on page 136
•
About the Service Overview Page on page 138
•
Viewing a Service Configuration on page 142
•
LxCIPtable VNF Configuration Settings on page 150
•
Cisco CSR-1000v VNF Configuration Settings on page 153
•
Silver Peak VX VNF Configuration Settings on page 155
LxCIPtable VNF Configuration Settings
You can configure the LxCIPtable virtualized network function (VNF) from Configuration
> Network Services > Service Name > Overview > Service Configuration.
Your service provider usually configures base settings for the virtual machine (VM) in
which the virtualized network function (VNF) resides and you configure settings for the
service, such as policies.
Use the information in the following tables to provide values for the available settings:
•
Table 90 on page 151 shows the base settings you can configure for the Linux container.
NOTE: Your service provider usually configures the base settings and you
should not need to change them.
150
•
Table 91 on page 151 shows the firewall settings you can configure.
•
Table 92 on page 152 shows the Network Address Translation (NAT) settings you can
configure.
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
Table 90: Fields for the LxCIP Base Settings
Field
Description
Loopback Address
Specify a loopback IP address.
Example: 192.0.2.10
Operation
Select add to apply the policies to a specific route or del to prevent use of the policies on
specific routes.
Example: add
Route
Specify the IP prefix of the route to which the policies should apply.
Example: 192.0.2.20/24
NextHop
Specify the IP address of a Contrail gateway network to which the VM connects.
Example: 192.0.2.20
Table 91: Fields for the LxCIP Firewall Policy Settings
Field
Description
Firewall Policies
Prevent SSH Brute
Select True to prevent SSH brute attacks or False to allow SSH brute attacks.
Example: False
Prevent Ping Flood
Select True to prevent ping flood attacks or False to allow ping flood attacks.
Example: False
Forwarding Rule Settings
Destination Address
Specify the destination IP address prefix that the network service uses as a match criterion for
outgoing traffic.
Example: 192.0.2.25/24
Operation
Select the operation, which applies to a chain of rules of the same type, from the drop-down list.
The following options are available:
•
append—Append the rule to a rule chain.
•
insert-before—Insert the rule before a rule with the same name.
•
delete—Replace an existing rule with this name.
Example: append
Source Address
Specify the source IP address prefix that the network service uses as a match criterion for outgoing
traffic.
Example: 192.0.2.20/24
Copyright © 2018, Juniper Networks, Inc.
151
Contrail Service Orchestration User Guide
Table 91: Fields for the LxCIP Firewall Policy Settings (continued)
Field
Description
Name
Specify the name for the rule. The field has no limit on the number of characters and accepts
letters, numbers, and symbols.
Example: vsrx-fw-policy
Action
Select the action for the rule, which applies to all traffic that matches the specified criteria.
•
accept—Transmit packets that match the policy parameters.
•
drop—Drop packets that match the policy parameters.
•
reject—Reject packets that match the policy parameters.
Example: accept
Service
Specify the service that you want the rule to match.
Example:
Type
•
http
•
smtp
Select the type of packet that the rule matches.
•
input—Packets that the network service receives that are addressed to this VM
•
forward—Packets that the network service receives that are addressed to other VMs
•
output—Packets that the network service transmits
The application creates a chain of all rules with a particular type.
Example: input
Table 92: Fields for the LxCIP NAT Policy Settings
Field
Description
Left Interface
Specify the name of the interface on which the network service enforces NAT for incoming
traffic.
Example: Eth1
Right Interface
Specify the name of the interface on which the network service enforces NAT for outgoing
traffic.
Example: Eth2
Related
Documentation
152
•
About the Network Services Page on page 136
•
About the Service Overview Page on page 138
•
Viewing a Service Configuration on page 142
•
vSRX VNF Configuration Settings on page 143
•
Cisco CSR-1000v VNF Configuration Settings on page 153
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
Cisco CSR-1000v VNF Configuration Settings
You can configure the Cisco CSR-1000v virtualized network function (VNF) from
Configuration > Network Services > Service Name > Overview > Service Configuration. Your
service provider usually configures base settings for the virtual machine (VM) in which
the virtualized network function (VNF) resides and you configure settings for the service,
such as policies. Use the information in the following tables to provide values for the
available settings:
•
Table 93 on page 153 shows the base settings you can configure for the virtual machine
(VM) that contains the VNF.
NOTE: Your service provider usually configures the base settings and you
should not need to change them.
•
Table 94 on page 153 shows the firewall settings you can configure.
Table 93: Fields for the CSR-1000v Base Settings
Field
Description
Host Name
Specify the hostname of the VM.
Example: host1
Loopback Address
Specify the IPv4 loopback IP address.
Example: 10.0.2.50
Name Servers
Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS
name servers.
Example: 10.0.2.15
NTP Servers
Specify the FQDNs or IP addresses of one or more NTP servers.
Example: ntp.example.net
Table 94: Fields for the CSR-1000v Firewall Settings
Field
Description
Left Interface
Specify the identifier of the interface that transmits data to the host.
Example: GigabitEthernet2
Right Interface
Specify the identifier of the interface receiving data transmitted by the host.
Example: GigabitEthernet3
Copyright © 2018, Juniper Networks, Inc.
153
Contrail Service Orchestration User Guide
Table 94: Fields for the CSR-1000v Firewall Settings (continued)
Field
Description
Left to Right Allowed Apps
Select the applications from the drop-down list for which the policy is enforced in outgoing
packets. The following applications are available:
•
http
•
https
•
telnet
•
ftp
•
tcp
•
udp
•
icmp
Example: http, https
Right to Left Allowed Apps
Select the application from the drop-down list for which the policy is enforced for incoming
packets. The following applications are available:
•
http
•
https
•
telnet
•
ftp
•
tcp
•
udp
•
icmp
Example: ftp, udp
Related
Documentation
•
About the Network Services Page on page 136
•
About the Service Overview Page on page 138
•
Viewing a Service Configuration on page 142
•
vSRX VNF Configuration Settings on page 143
•
Cisco CSR-1000v VNF Configuration Settings on page 153
Riverbed Steelhead VNF Configuration Settings
You configure the Riverbed Steelhead VNF through its own software. See the Riverbed
Steelhead documentation for information about how to configure the application. You
can view the following setting:
Management IP—IP address of the sxe0 interface on JDM for the NFX250. For example:
192.0.2.25.
Related
Documentation
154
•
Viewing a Service Configuration on page 142
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: Configuring Network Services
Silver Peak VX VNF Configuration Settings
You configure the Silver Peak VX VNF through its own software. Refer to the Silver Peak
VX documentation for information on how to configure the application. You can view
the following setting:
Management IP—IP address of the sxe0 interface on JDM for the NFX250. For example:
192.0.2.25
Related
Documentation
•
About the Network Services Page on page 136
•
About the Service Overview Page on page 138
•
Viewing a Service Configuration on page 142
•
vSRX VNF Configuration Settings on page 143
•
LxCIPtable VNF Configuration Settings on page 150
•
Cisco CSR-1000v VNF Configuration Settings on page 153
Managing a Single Service
Use the tabs on this page to view and manage information about services and service
instances.
Related
Documentation
•
About the Service Overview Page on page 138
•
About the Service Instances Page on page 139
•
About the Network Services Page on page 136
•
Viewing a Service Configuration on page 142
Copyright © 2018, Juniper Networks, Inc.
155
Contrail Service Orchestration User Guide
156
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 15
Configuring Application SLA Profiles
•
SLA Profiles and SD-WAN Policies Overview on page 157
•
About the Application SLA Profiles Page on page 160
•
Creating SLA Profiles on page 161
•
Editing and Deleting SLA Profiles on page 163
SLA Profiles and SD-WAN Policies Overview
Contrail Service Orchestration (CSO) enables you to create service-level agreement
(SLA) profiles and map them to software-defined WAN (SD-WAN) policies for traffic
management.
SLA Profiles
SLA profiles are created for applications or groups of applications for all tenants. An SLA
profile consists of a set of configurable constraints that can be defined in the unified
portal for both the Administration and Customer Portals. Table 95 on page 157 lists the
categories of configurable constraints that are defined in an SLA profile.
Table 95: SLA Profile Categories
Category
Description
Path preference and
priority
Paths are the WAN links to be used for the SLA profile. You can choose an MPLS or Internet link as
a preferred path. MPLS is more latency-sensitive than Internet.
You can define priority or precedence for the SLA profile. A value of one (1) indicates highest priority.
SLA profiles with higher priorities are given precedence over SLA profiles with lower priorities. Priority
is used when SLA requirements are not met on a WAN link and the site switches WAN links to meet
the SLA requirements.
Copyright © 2018, Juniper Networks, Inc.
157
Contrail Service Orchestration User Guide
Table 95: SLA Profile Categories (continued)
SLA parameters
You can define one or more than one of the following SLA parameters:
•
Throughput—Amount of data (in Mbps) that is sent upstream and received downstream by the
site during the selected time period
•
Latency—Amount of time (in ms) that a packet of data takes to travel from one designated point
to another
•
Packet loss—Percentage of data packets dropped by the network to manage congestion
•
Jitter—Difference between the maximum and minimum round-trip times (in ms) of a packet of
data
SLA parameters have precedence over path preference. Even if one SLA parameter is defined, then
it is given a higher priority and will override the path preference. SD-WAN policies mapped to an SLA
profile with defined SLA parameters are called dynamic policies. Dynamic policies applied to sites
enable the site to override the path preference and switch WAN links when the preferred WAN link
is not meeting SLA requirements as defined in the SLA parameters.
Class of service
Class of service (CoS) provides different levels of service assurances to various forms of traffic. CoS
enables you to divide traffic into classes and offer an assured service level for each class. The classes
of service listed in increasing order of priority and sensitivity to latency are best effort, voice, interactive
video, streaming audio or video, control, and business essential. The default CoS is voice.
Rate limiters
Rate limiters are defined for traffic shaping and efficient bandwidth utilization. You can define the
following rate limiters:
•
Maximum upstream and downstream rates—The maximum upstream and downstream rate for
all applications associated with the SLA profile.
•
Maximum upstream and downstream burst sizes—The maximum size of a steady stream of traffic
sent at average rates that exceed the upstream and downstream rate limits for short periods.
NOTE: You must define at least one of the SLA parameters or path preference.
You cannot leave both path preference and SLA parameters fields blank at
the same time.
SD-WAN Policies
SLA profiles are used by SD-WAN policy intents for traffic management. SD-WAN policies
help in optimum utilization of the WAN links and efficient distribution of traffic. Every
tenant has an SD-WAN policy and intents are created in the SD-WAN policy. Policy
intents consist of the following parameters:
158
•
Source—A source endpoint that you can choose from a list of sites, site groups, and
departments or a combination of all of these. The SD-WAN policy intent is applied to
the selected source endpoint.
•
Destination—A destination endpoint that you can choose from a list of applications
and predefined or custom application groups. You can select a maximum of 32
applications or application groups as destination endpoints. The SD-WAN policy intent
is applied to the selected destination endpoint.
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Configuring Application SLA Profiles
•
SLA profile—An SLA profile that has the required constraints you want to apply to the
policy intent.
•
Intent name—A unique name for the SD-WAN policy intent.
SD-WAN supports advanced policy-based routing (APBR). APBR enables you to
dynamically define the routing behavior of the SD-WAN network based on applications.
Dynamic application-based routing makes it possible to define policies and to switch
WAN links on the fly based on the application's defined SLA parameters. The APBR
mechanism classifies sessions based on applications and application signatures and
uses policy intents to identify the best possible route for the application. When the best
possible route does not meet the application's defined SLA requirements, the SD-WAN
network finds the next best possible route to meet SLA requirements.
For example, consider an application in a site. If you want the application group to use
custom throughput, latency, or jitter, you can create an SLA profile with these custom
values. You can then create an intent and configure the intent with the application and
apply the custom SLA profile. When the intent is deployed, CSO determines the best
suited WAN link to route traffic based in the application. If the WAN link fails to meet
SLA requirements in runtime, the SD-WAN network switches WAN links to the next best
suited path.
On the basis of the configured SLA profile constraints, you can categorize SD-WAN
policies into two types:
•
Static policy—If only the path preference is defined and none of the SLA parameters
are defined in the SLA profile, then the policy is called a static policy. In static policies,
if the defined WAN link under path preference is unable to meet the SLA requirements,
link switching cannot occur and SLA performance deteriorates.
•
Dynamic policy—If one or more SLA parameters in the SLA profile are defined, then
the policy is called a dynamic policy.
In dynamic policies, because SLA parameters override the path preference, the SD-WAN
network chooses the best possible WAN link for traffic management. When an intent
is deployed on a site, if the WAN link chosen by the SD-WAN network does not meet
the SLA requirements and the network performance deteriorates, then the site switches
WAN links to meet the SLA requirements. The link switching is recorded as an SD-WAN
event and displayed in the SD-WAN Events page in the customer portal and the
Tenant_name SLA Performance pages in the administration and customer portals.
Link switching occurs only when the SD-WAN policy is dynamic because SLA
parameters override the path preference and the site is able to switch WAN links.
Related
Documentation
•
About the Application SLA Profiles Page on page 160
Copyright © 2018, Juniper Networks, Inc.
159
Contrail Service Orchestration User Guide
About the Application SLA Profiles Page
To access this page, select Configuration > Application SLA Profiles in the Administration
Portal.
You can use the Application SLA Profiles page to view information about service-level
agreement (SLA) profiles for all tenants.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details of SLA profiles for all tenants.
•
Create an SLA profile for a tenant. See “Creating SLA Profiles” on page 161.
•
Edit the configuration of an existing SLA profile. See “Editing and Deleting SLA Profiles”
on page 163.
•
Show or hide columns that contain information about SLA profiles. See “Sorting
Objects” on page 15.
•
Search for SLA profiles using keywords. Click the search icon. Enter partial text or full
text of the keyword in the search bar and press Enter. The search results are displayed.
Field Descriptions
Table 96 on page 160 shows the descriptions of the fields on the Application SLA Profiles
page.
Table 96: Fields on the Application SLA Profiles Page
Field
Description
Priority
View the SLA profile priority.
Name
View the SLA profile name.
Link Paths
View WAN link paths associated with the SLA profile.
Tenant
View the tenant associated with the SLA profile.
Class of Service
View the class of service associated with the SLA profile.
Throughput Target
View the target throughput for the SLA profile.
Latency Target
View the target latency for the SLA profile.
Packet Loss Target
View the target packet loss for the SLA profile.
Jitter Target
View the target jitter for the SLA profile.
160
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Configuring Application SLA Profiles
Table 96: Fields on the Application SLA Profiles Page (continued)
Field
Description
Delay Target
View the target delay for the SLA profile.
Target delay is calculated as two times the target latency.
Related
Documentation
•
SLA Profiles and SD-WAN Policies Overview on page 157
•
Creating SLA Profiles on page 161
•
Editing and Deleting SLA Profiles on page 163
Creating SLA Profiles
You can use the Create SLA Profile page to create a new service-level agreement (SLA)
profile, configure target metrics, and associate tenants with the SLA profile.
To add an SLA profile to a tenant:
1.
Click the add icon (+) on the Configuration > Application SLA Profiles page in the
Administration Portal.
The Create SLA Profile page appears.
2. Enter the general SLA profile information according to the guidelines provided in
Table 97 on page 161.
3. Click Next.
The Configuration tab appears.
4. Complete the configuration according to the guidelines provided in
Table 98 on page 162.
5. Click OK to create the SLA profile. The Application SLA Profile page appears with the
new SLA profile information.
Alternatively, if you want to discard your updates, click Cancel instead.
Table 97: Create SLA Profile - General Tab
Field
Guidelines
General
Name
Enter a name for the SLA profile.
Enter a unique string of alphanumeric characters and some special characters (. -). No spaces are
allowed and the maximum length is 15 characters.
Copyright © 2018, Juniper Networks, Inc.
161
Contrail Service Orchestration User Guide
Table 97: Create SLA Profile - General Tab (continued)
Field
Guidelines
Description
Enter a description for the SLA profile; maximum length is 4096 characters.
Priority
Enter a priority or precedence for the SLA profile. A value of one (1) indicates highest priority. SLA
profiles with higher priorities are given precedence over SLA profiles with lower priorities.
Table 98: Create SLA Profile - Configuration Tab
Field
Guidelines
Configuration
Path Preference
Select the preferred WAN link to associate with the SLA profile. You can select WAN link
from MPLS or the Internet.
Class of Service
Select the preferred class of service (CoS) to associate with the SLA profile. CoS enables
you to divide traffic into classes and offer an assured service level for each class. You can
select the CoS from best effort, voice, interactive video, streaming audio or video, control
traffic, and business essential. By default, voice is selected.
Metrics Targets
Copy Target Metrics From
Select the existing SLA profile from which you want to copy target metrics. By default, no
SLA profile is selected.
Throughput
Enter the target throughput (in Mbps) for the SLA profile. Throughput is the amount of data
that is sent upstream and received downstream by the site during the selected time period.
Latency
Enter the target latency (in ms) for the SLA profile. Latency is the amount of time that a
packet of data takes to travel from one designated point to another. Target delay is calculated
as two times the target latency.
Packet Loss
Enter the target packet loss (in %) for the SLA profile. Packet loss is the percentage of data
packets dropped by the network to manage congestion.
Jitter
Enter the target jitter (in ms) for the SLA profile. Jitter is the difference between the maximum
and minimum round-trip times of a packet of data.
Advanced Configuration
Maximum Upstream Rate
Enter the maximum upstream rate (in Kbps) for all applications associated with the SLA
profile. The rate is in the range 64 through 10,485,760 Kbps.
Maximum Upstream Burst Size
Enter the maximum burst size (in bytes). The burst size is in the range 1 through 1,342,177,280
bytes.
Maximum Downstream Rate
Enter the maximum downstream rate (in Kbps) for all applications associated with the SLA
profile. The rate is in the range 64 through 10,485,760 Kbps.
Maximum Downstream Burst
Size
Enter the maximum burst size (in bytes). The burst size is in the range 1 through 1,342,177,280
bytes.
162
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Configuring Application SLA Profiles
Related
Documentation
•
SLA Profiles and SD-WAN Policies Overview on page 157
•
About the Application SLA Profiles Page on page 160
•
Editing and Deleting SLA Profiles on page 163
Editing and Deleting SLA Profiles
You can use the Applications SLA Profiles page to edit and delete SLA profiles.
•
Editing an SLA Profile on page 163
•
Deleting SLA Profiles on page 163
Editing an SLA Profile
To edit an SLA Profile:
1.
Select the check box for the SLA profile that you want to edit, and click the Edit icon
on the Configuration > Application SLA Profiles page in the Administration Portal.
The Edit Application SLA Profile page appears.
2. Update the general SLA profile information as needed according to the guidelines
provided in “Creating SLA Profiles” on page 161. You cannot edit the SLA profile name.
3. Click Next.
The Configuration tab appears.
4. Update the configuration parameters as needed according to the guidelines provided
in “Creating SLA Profiles” on page 161.
5. Click OK to save the updated SLA profile configuration.
The SLA profile information that you updated appears on the Application SLA Profiles
page.
Deleting SLA Profiles
You can delete the SLA profile if it is no longer needed. To delete an SLA profile:
1.
Select the check box for the SLA profile that you want to delete and click the delete
icon (Χ) on the Configuration > Application SLA Profiles page in the Administration
Portal. You can also select multiple SLA profiles.
A page requesting confirmation for the deletion appears.
2. Click Yes to confirm that you want to delete the SLA profile.
The SLA profile is deleted.
Copyright © 2018, Juniper Networks, Inc.
163
Contrail Service Orchestration User Guide
Related
Documentation
164
•
SLA Profiles and SD-WAN Policies Overview on page 157
•
About the Application SLA Profiles Page on page 160
•
Creating SLA Profiles on page 161
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 16
Configuring Application Signatures
•
Application Signatures Overview on page 165
•
About the Application Signatures Page on page 166
•
Creating Application Signature Groups on page 167
•
Editing, Cloning, and Deleting Application Signature Groups on page 168
Application Signatures Overview
Juniper Networks regularly updates the predefined application signature database, making
it available to subscribers on the Juniper Networks website. This database includes
signature definitions of known application objects that can be used to identify applications
for tracking, firewall policies, and quality-of-service prioritization.
Use the Application Signatures page to get an overall, high-level view of your application
signature settings. You can filter and sort this information to get a better understanding
of what you want to configure.
Related
Documentation
•
About the Application Signatures Page on page 166
•
Creating Application Signature Groups on page 167
•
Editing, Cloning, and Deleting Application Signature Groups on page 168
Copyright © 2018, Juniper Networks, Inc.
165
Contrail Service Orchestration User Guide
About the Application Signatures Page
To access this page, select Configuration > Shared Objects > Application Signatures.
Use the Application Signatures page to view application signatures that are already
downloaded and to create, modify, clone, and delete custom application signature groups.
The Application Signatures page displays the name, object type, category and subcategory,
risk associated with, and characteristics of the signature. You can create custom
application signature groups with a set of similar signatures for consistent reuse when
defining policies.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create an application signature group. See “Creating Application Signature Groups”
on page 167.
•
Modify, clone, or delete an application signature group. See “Editing, Cloning, and
Deleting Application Signature Groups” on page 168.
•
View the configured parameters of an application signature or application signature
group. Click the details icon that appears when you hover over the name of an image
or click More > Details. See “Viewing Object Details” on page 14.
•
Show or hide columns in the Application Signatures. See “Sorting Objects” on page 15.
•
Search for a specific application signature or application signature group. See “Searching
for Text in an Object Data Table” on page 15.
•
Filter the application signature information based on select criteria. To do this, select
the filter icon at the top right-hand corner of the table. The columns in the grid change
to accept filter options. Select the filter options; the table displays only the data that
fits the filtering criteria.
Field Descriptions
Table 99 on page 166 provides guidelines on using the fields on the Application Signatures
page.
Table 99: Fields on the Application Signatures Page
Field
Description
Name
Name of the application signature or application signature group.
Object Type
Signature type—either application signature or application signature group.
Category
UTM category of the application signature. For example, the value of Category can be Messaging,
Web, Infrastructure, Remote-Access, Multimedia, and so on.
166
Copyright © 2018, Juniper Networks, Inc.
Chapter 16: Configuring Application Signatures
Table 99: Fields on the Application Signatures Page (continued)
Field
Description
Subcategory
UTM subcategory of the application signature. For example, the value of Subcategory can be Wiki,
File-Sharing, Multimedia, Social-Networking, News, and so on.
Risk
Level of risk associated with the application signature. For example, the value of Risk can be Low,
High, unsafe, and so on.
Characteristic
One or more characteristics of the application signature.
Predefined or Custom
A list of predefined application signatures and application signature groups, and a list of custom
application signature groups that you created.
Related
Documentation
•
Application Signatures Overview on page 165
•
Creating Application Signature Groups on page 167
•
Editing, Cloning, and Deleting Application Signature Groups on page 168
Creating Application Signature Groups
Application identification supports custom application signatures to detect applications
as they pass through the device. When you create custom signature groups, make sure
that your signature groups are unique, by providing a unique and relevant name.
To create an application signature group:
1.
Select Configure > Shared Objects > Application Signatures.
2. Click the add icon (+).
3. Complete the configuration according to the guidelines provided in
Table 100 on page 167.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
A new application signature group with your configurations is created. You can use this
application signature group in firewall, NAT, and SD-WAN policies.
Table 100 on page 167 provides guidelines on using the fields on the Create Application
Signature Group page.
Table 100: Fields on the Create Application Signature Group Page
Field
Description
Name
Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and
underscores. No spaces are allowed and the maximum length is 63 characters.
Copyright © 2018, Juniper Networks, Inc.
167
Contrail Service Orchestration User Guide
Table 100: Fields on the Create Application Signature Group Page (continued)
Field
Description
Group Members
Click the add icon (+) to add signatures to your application group. On the Add Application Signatures
page, select the check boxes next to the signatures you want to add to the group.
Related
Documentation
•
Application Signatures Overview on page 165
•
About the Application Signatures Page on page 166
•
Editing, Cloning, and Deleting Application Signature Groups on page 168
Editing, Cloning, and Deleting Application Signature Groups
You can edit, clone, and delete application signature groups from the Application
Signatures page.
•
Editing Application Signature Groups on page 168
•
Cloning Application Signature Groups on page 168
•
Deleting Application Signature Groups on page 169
Editing Application Signature Groups
To modify the parameters configured for an application signature group:
1.
Select Configuration > Shared Objects > Application Signatures.
The Application Signatures page appears.
2. Select the application signature group that you want to edit, and then select More >
Edit, or click on the edit icon (pencil symbol), on the top right corner of the table, or
right-click and select Edit.
The Edit page appears, showing the same options as those displayed when you create
a new application signature group.
3. Modify the parameters according to the guidelines provided in “Creating Application
Signature Groups” on page 167.
4. Click Save to save the changes. If you want to discard your changes, click Cancel
instead.
The modified application signature group appears in the Application Signatures page.
Cloning Application Signature Groups
You can clone an application signature group when you want to reuse an existing
application signature group, but with a few minor changes. This way, you can save time
recreating the application signature group from the start.
168
Copyright © 2018, Juniper Networks, Inc.
Chapter 16: Configuring Application Signatures
To clone an application signature group:
1.
Select Configuration > Shared Objects > Application Signatures.
The Application Signatures page appears.
2. Right-click the application signature group that you want to clone and then select
Clone, or select More > Clone.
The Clone page appears with editable fields.
3. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
The cloned application signature group is displayed on the Application Signatures page.
Deleting Application Signature Groups
To delete an application signature group:
1.
Select Configuration > Shared Objects > Application Signatures.
The Application Signatures page appears.
2. Select the application signature group you want to delete and then click the delete
icon (X) .
An alert message appears, verifying that you want to delete the selected item.
3. Click Yes to delete the selected application signature group. If you do not want to
delete, click Cancel instead.
Related
Documentation
•
Application Signatures Overview on page 165
•
About the Application Signatures Page on page 166
•
Creating Application Signature Groups on page 167
Copyright © 2018, Juniper Networks, Inc.
169
Contrail Service Orchestration User Guide
170
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 17
Managing Tenants
•
Tenant Overview on page 171
•
About the Tenants Page on page 171
•
Managing a Single Tenant on page 173
•
About the Tenant Sites Page on page 173
•
About the Tenant Services Page on page 174
•
Importing Data for Multiple Tenants on page 175
•
Adding a Single Tenant on page 179
•
Adding Service Profiles on page 182
•
Viewing the History of Imported Tenant Data on page 183
•
Viewing the History of Deleted Tenant Data on page 184
•
Allocating Network Services to a Tenant on page 186
Tenant Overview
A tenant in a Cloud CPE solution represents a customer who accesses virtualized network
functions (VNFs) in a service provider’s cloud through a Layer 3 VPN. You assign
administrative users and sites to customers in the Administration Portal to represent the
staff in the customer’s organization and the geographical locations in the customer’s
network. You also use Administration Portal to allocate network service profiles to
customers.
Related
Documentation
•
Administration Portal Overview on page 4
•
About the Tenants Page on page 171
•
Importing Data for Multiple Tenants on page 175
About the Tenants Page
To access this page, click Tenants > All Tenants.
You can use the Tenants page to create a tenant, import tenants and other objects
associated with tenants, such as administrative users and sites, and view the history of
imported tenant data and deleted tenant data. See “Tenant Overview” on page 171.
Copyright © 2018, Juniper Networks, Inc.
171
Contrail Service Orchestration User Guide
Before You Begin
Create all the resources required for the network point of presence (POP).
Tasks You Can Perform
You can perform the following tasks from this page:
•
Quickly view important data about the tenants in the widgets that appear at the top
of the page. For information about the widgets, see Table 101 on page 172.
•
View details about a tenant. Click the details icon for the tenant. See “Viewing Object
Details” on page 14.
•
Import tenants. See “Importing Data for Multiple Tenants” on page 175.
•
View tenant import history. See “Viewing the History of Imported Tenant Data” on
page 183.
•
View tenant delete history. See “Viewing the History of Deleted Tenant Data” on page 184.
Field Descriptions
Table 101 on page 172 shows the description of the widget that appears at the top of the
Tenants page.
Table 101: Widget on the Tenants Page
Widget
Description
Total Tenant
View the numbers of tenants and their types.
Table 102 on page 172 provides guidelines on using the fields on the Tenants page.
Table 102: Fields on the Tenants Page
Field
Description
Name
View the name of the tenant.
Click the name to view full information about a tenant.
Type
View the type of tenant. The tenant type limits the number of service instances for a tenant.
The following options are available:
•
Small
•
Medium
•
Large
•
Default
Sites
View the total number of sites that are available for the tenant.
Assigned Services
View the number of services that are assigned to the tenant.
172
Copyright © 2018, Juniper Networks, Inc.
Chapter 17: Managing Tenants
Table 102: Fields on the Tenants Page (continued)
Field
Description
Activated Service Instances
View the number of services that have been deployed by the administrator on a connection
in the network.
Administrator
View the administrative user for the tenant.
Last Changed
View the date and time when the tenant information was last modified.
Related
Documentation
•
About the Tenant Sites Page on page 173
•
About the Tenant Services Page on page 174
•
Assigning a Service to Tenants on page 141
•
Importing Data for Multiple Tenants on page 175
Managing a Single Tenant
Use the tabs on this page to view and manage the tenant site and service information
for a specific tenant.
Related
Documentation
•
About the Tenant Sites Page on page 173
•
About the Tenant Services Page on page 174
•
Adding a Single Tenant on page 179
About the Tenant Sites Page
To access this page, click Tenants > All Tenants > Name of Tenant > Tenant Sites.
After importing the tenants, you can use the Tenant Sites page to view device
assignments, assign services, and disable a tenant site. See “Tenant Overview” on page 171.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Add tenants. See “Adding a Single Tenant” on page 179, “Importing Data for Multiple
Tenants” on page 175.
•
Assign network services to tenants. See “Allocating Network Services to a Tenant” on
page 186.
•
Delete a tenant site. See “Deleting Objects” on page 14.
Copyright © 2018, Juniper Networks, Inc.
173
Contrail Service Orchestration User Guide
Field Descriptions
Table 103 on page 174 provides guidelines on using the fields on the Tenant Sites page.
Table 103: Fields on the Tenant Sites Page
Field
Description
Site Name
View the name of the tenant site.
Location
View the location of the tenant site.
PoP Name
View the POP for the tenant site.
State
View the current status of the tenant site. The following options are available:
Type
•
Active
•
Provisioned
•
Failed
View the type of tenant site. The following options are available:
Services Activated
Related
Documentation
•
Cloud
•
Data Center
•
On Premise
View the total number of services that are activated for the site.
•
About the Tenants Page on page 171
•
About the Tenant Services Page on page 174
About the Tenant Services Page
To access this page, click Tenants > All Tenants > Tenant Name > Tenant Services.
After importing the tenants and assigning services to the tenants, you can use the Tenant
Services page to monitor and manage the tenant services. See Tenant Management
Overview.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a tenant service. See “Viewing Object Details” on page 14.
•
Delete a tenant service. See “Deleting Objects” on page 14.
Field Descriptions
Table 104 on page 175 provides guidelines on using the fields on the Tenant Services page.
174
Copyright © 2018, Juniper Networks, Inc.
Chapter 17: Managing Tenants
Table 104: Fields on the Tenant Services Page
Field
Description
Name
View the name of the tenant service.
Sites with Instances
View the number of sites of a specific tenant to which the service is assigned to.
Instances
View the number of instances of the service for a specific tenant.
Last Update
View the date and time when the tenant service information was last modified.
Related
Documentation
•
About the Tenants Page on page 171
•
About the Tenant Sites Page on page 173
•
Assigning a Service to Tenants on page 141
Importing Data for Multiple Tenants
You can use the Import Tenants page to import tenant data and other objects associated
with the tenant, such as administrative users, sites, and topology. You can start by
downloading a JSON template and using it to customize the data file that you want to
import.
•
Creating a Tenant Data File on page 175
•
Importing Tenant Data on page 178
Creating a Tenant Data File
To create a tenant data file:
1.
Click Tenants > All Tenants > Import Tenants > Import.
The Import Tenants page appears.
2. Click Download Sample JSON to download a JSON template.
The tenant template file is downloaded to your system.
3. In the Import Tenants page, click Cancel.
4. Open the template file.
5. Save the template file to your computer with an appropriate name.
6. Customize the file with your tenant data, using Table 105 on page 176 as a reference.
7. Save the customized tenant data file.
Copyright © 2018, Juniper Networks, Inc.
175
Contrail Service Orchestration User Guide
Table 105: Tenant Configuration Fields
Field
Description
tenant_name
Specify the name of the tenant. You can use an unlimited number of alphanumeric
characters, including symbols.
Example: tenant-a
tenant_type
Specify the type of tenant. The following options are available.
•
Small
•
Medium
•
Large
•
X Large
•
Default
Example: Default
admin_user_name
Specify a unique name for the tenant administrator.
Example: admin-tenant-a
admin_user_password
Specify a password for the tenant administrator.
Example: pwd123
managed_wan_topology
network_name
Specify a unique name for the customer Layer 3 VPN network. You can use an
unlimited number of alphanumeric characters, including symbols.
Example: vcpe-tenant-a-l3vpn
site
site_name
Specify a unique alphanumeric name for the site. You can use an unlimited number
of alphanumeric characters, including symbols.
Example: site1
site_description
Specify the description for the site. You can use an unlimited number of alphanumeric
characters, including symbols.
Example: vcpe payload
street
Specify the street name of the site.
Example: site1-street
city
Specify the city name of the site.
Example: site1-city
176
Copyright © 2018, Juniper Networks, Inc.
Chapter 17: Managing Tenants
Table 105: Tenant Configuration Fields (continued)
Field
Description
state
Specify the name of the state where the site is located.
Example: site1-state
zip_code
Specify the zip code of the site location.
Example: 99990
country
Specify the name of the country where the site is located.
Example: site1-country
router_info (cloud_site_info)
router_name
Specify the router name that connects to the tenant site. This value matches the
interface that you configure for the MX Series router physical network element (PNE).
Example: PNE-MX10
route_target
Specify the route target of the transit network for the tenant.
Example: 8888:889
right_network_name
Specify the name of the transit network for the tenant.
Example: internet, corp-vpn-right
subnet
Specify the subnet of the transit network for the tenant.
Example: 10.154.0.0/24
route_target (internet-info)
Specify the route target of the site virtual network.
Example: 8888:887
subnet (internet-info)
Specify the IP address of the subnet that connects the site to the Internet.
Example: 10.155.0.0/24
pop_info (cloud_site_info)
pop_name
Specify the name of the POP that manages the site. You can use an unlimited number
of alphanumeric characters, including symbols.
Example: pne-pop10
route_target
Specify the route target of the transit network for the tenant.
Example: 8828:889
Copyright © 2018, Juniper Networks, Inc.
177
Contrail Service Orchestration User Guide
Table 105: Tenant Configuration Fields (continued)
Field
Description
right_network_name
Specify the name of the transit network for the tenant.
Example: corp-vpn-right
subnet
Specify the subnet of the transit network for the tenant.
Example: 10.151.0.0/24
route_target (internet-info)
Specify the route target of the site virtual network.
Example: 8888:887
subnet (internet-info)
Specify the IP address of the subnet that connects the site to the Internet.
Example: 10.155.0.0/24
pop_info (data_center_site_info)
pop_name
Specify the name of the POP. You can use an unlimited number of alphanumeric
characters, including symbols.
Example: pne-pop10
route_target
Specify the route target for the corporate data center network.
Example: 65412:772
subnet
Specify the subnet of the corporate data center network.
Example: 10.155.0.0/24
route_target (internet-info)
Specify the route target for the Internet network.
Example: 8888:887
subnet (internet-info)
Specify the subnet IPv4 address for the Internet network.
Example: 10.155.0.0/24
Importing Tenant Data
To import tenant data:
1.
Click Tenants > All Tenants > Import Tenants.
The Import Tenants page is displayed.
2. Click Browse and navigate to the directory where the tenant file is located.
3. Select the tenant file and click Open.
178
Copyright © 2018, Juniper Networks, Inc.
Chapter 17: Managing Tenants
4. Click Import.
The status of the import operation is displayed. You can click View Details for more
information about the import operation. If the import operation state is successful,
then proceed to Step 4 or verify the tenant file format.
5. Click OK.
The new tenants are displayed on the Tenants page. You can click any tenant to view
more information about the tenant.
NOTE: If you use the tenants for a hybrid WAN centralized deployment,
access Contrail and add the following rule to the default security group in
the Contrail project.
Ingress IPv4 network 0.0.0.0/0 protocol any ports any
This rule allows the network to accept traffic from all subnets.
Related
Documentation
•
Viewing the History of Imported Tenant Data on page 183
Adding a Single Tenant
You can use the Add Tenant page to add tenant data and other objects associated with
a tenant, such as administrative user, network details, deployment scenario, service
profiles, and custom properties. A single tenant supports centralized deployment,
distributed deployment, and hybrid (both centralized and distributed) deployment
scenarios.
Begin by creating all the resources required for the network point of presence (POP).
The information listed on the Tenants page changes depending on the authentication
mode configured:
•
Local Authentication—You can add the administrative user information as the first step
from the Tenants page.
•
Authentication and Authorization with SSO Server—The Admin User information is not
displayed on the Tenants page because users are not created in CSO and they are
managed in the SAML identity provider. In addition, users are dynamically authorized
to the CSO role based on the mapping rules configured in the SAML authentication.
•
Authentication with SSO Server—When you create the administrative user, the login
page does not require you to configure a password because the user is created in the
SSO without the password and you can only enter the username.
Copyright © 2018, Juniper Networks, Inc.
179
Contrail Service Orchestration User Guide
To add a tenant:
Click Tenants > All Tenants > +.
1.
The Add Tenant page appears.
2. Update the tenant information. Complete the configuration according to the guidelines
provided in Table 106 on page 180.
3. Click OK. If you want to discard your changes, click Cancel instead.
The tenant that you configured appears on the Tenants page.
4. If you use the tenant for a hybrid WAN centralized deployment, access Contrail and
add the following rule to the default security group in the Contrail project.
Ingress IPv4 network 0.0.0.0/0 protocol any ports any
This rule allows the network to accept traffic from all subnets.
Table 106: Fields on the Tenant Configuration Page
Field
Description
Tenant Info
Name
Specify the name of the tenant. You can use an unlimited number of alphanumeric characters,
including special characters.
Example: test-tenant
Type
Deployment Scenario
Select the tenant type. The following options are available:
•
Small—1 vCPU, 20-GB disk space, and 2048-MB RAM space
•
Medium—2 vCPU, 40-GB disk space, and 4096-MB RAM space
•
Large—4 vCPU, 80-GB disk space, and 8192-MB RAM space
•
X Large—8 vCPU, 160-GB disk space, and 16384-MB RAM space
Select the deployment scenario.
•
Hybrid WAN—Supports both distributed and centralized deployments.
NOTE: Intent policies are not applicable for Hybrid WAN deployments.
•
Corporate Transit Network
SD WAN
View the transit network name. This field is automatically populated after you enter the tenant
name. The transit network is a hub or virtual network that transports traffic from one site to
another and from a site to the Internet.
Example: test-tenant_L3VPN
Admin user
180
Copyright © 2018, Juniper Networks, Inc.
Chapter 17: Managing Tenants
Table 106: Fields on the Tenant Configuration Page (continued)
Field
Description
Admin User Name
Specify the name of the administrative user. This field is automatically populated after you enter
the tenant name.
Example: test-tenant_admin
Admin User Password
Specify the password for the administrative user.
The password must be at least six characters long. The password must contain both uppercase
and lowercase letters with at least one number and a special character.
Example: P@ssw0rd
Confirm Password
Reenter the administrative user password.
Example: P@ssw0rd
User Password Expires
Password Expiration Days
Select one of the following options:
•
Never—If you select this option, the password never expires.
•
After specified number of days—If you select this option, you must specify a duration in the
Password Expiration Days field.
Specify the duration (in days) after which the password expires and must be changed.
The range is from 1 through 365. The default value is 180 days.
Service Profiles
VIM Name
If you use a dedicated OpenStack Keystone for Contrail Service Orchestration in a centralized
deployment, then select the virtualized infrastructure manager (VIM) for the tenant. A tenant
can be associated with multiple VIMs.
Example: test-vim
Service profile Name
If you use a dedicated OpenStack Keystone for Contrail Service Orchestration in a centralized
deployment, then select the service profile that specifies the authentication information for the
tenant. You configure the service profile when you create the virtualized infrastructure manager
(VIM).
Example: service-profile-for-test-vim
Custom Properties
If you have set up a third-party provider edge (PE) device by using software other than Contrail
Service Orchestration, then configure settings on that router by specifying custom parameters
and its corresponding values.
Name
Specify any information about the site that you want to pass to a third-party router.
Example: Location
Value
Specify a value for the information about the site that you want to pass to a third-party device.
Example: Boston
Copyright © 2018, Juniper Networks, Inc.
181
Contrail Service Orchestration User Guide
Related
Documentation
•
Tenant Overview on page 171
Adding Service Profiles
You can use the Add Service profile page to associate a list of service profiles that are
available for the selected VIM with the customer.
In previous releases, you used the Contrail OpenStack Keystone to authenticate Contrail
Service Orchestration operations in a centralized deployment. In addition to this method,
you can also configure a dedicated OpenStack Keystone for Contrail Service Orchestration
in a centralized deployment. When you use a dedicated OpenStack Keystone, you
configure each VIM to include service profiles that contain login credentials for the
customers that it serves. You also associate the service profile and VIM with each
customer. The login credentials for a dedicated OpenStack Keystone for Contrail Service
Orchestration are stored in the file /etc/keystone/keystone on the primary Contrail Service
Orchestration server.
To add a service profile to a tenant:
1.
Click Tenants > All Tenants > +.
The Add Tenant page appears.
2. Update the tenant information and administrative user information according to the
guidelines provided in Table 106 on page 180.
3. Click Next.
The Service Profiles tab appears.
4. Click the plus icon(+).
The Add Service Profile page appears.
5. Complete the configuration according to the guidelines provided in
Table 107 on page 182.
6. Click Save. If you want to discard your changes, click Cancel instead.
Table 107: Fields on the Add Service Profile Page
Field
Description
VIM Name
If you use a dedicated OpenStack Keystone for Contrail Service Orchestration in a centralized
deployment, then select the virtualized infrastructure manager (VIM) for the tenant. A tenant can be
associated with multiple VIMs.
Example: test-vim
182
Copyright © 2018, Juniper Networks, Inc.
Chapter 17: Managing Tenants
Table 107: Fields on the Add Service Profile Page (continued)
Field
Description
Service Profile Name
If you use a dedicated OpenStack Keystone for Contrail Service Orchestration in a centralized
deployment, then select the service profile that specifies the authentication information for the tenant.
You configure the service profile when you create the virtualized infrastructure manager (VIM).
Example: service-profile-for-test-vim
Related
Documentation
•
Creating a Single POP on page 57
•
Creating a Cloud VIM on page 78
Viewing the History of Imported Tenant Data
You can use the Import History page to view the imported tenant data, status of the
import operation, and log details.
To view the history of imported tenant data:
1.
Click Tenants > All Tenants > Import Tenants > Import History.
The Import History page is displayed. Table 108 on page 183 describes the fields on
the Import History page.
2. Click the task name.
The Import Tenants Task page appears. Table 109 on page 184 describes the fields on
the Import Tenants Task page.
3. Click the task ID on the Job Status page to view the job details, such as whether this
job succeeded or failed.
Table 110 on page 184 describes the fields on the Job Status page for imported tenant
data.
Table 108: Fields on the Import History Page
Field
Description
In progress
View the number of import tasks that are in progress.
Success
View the number of import tasks that succeeded.
Failure
View the number of import tasks that have failed.
Name
View the name of the task.
Start Date
View the start date and time of the task.
Copyright © 2018, Juniper Networks, Inc.
183
Contrail Service Orchestration User Guide
Table 108: Fields on the Import History Page (continued)
Field
Description
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task succeeded or failed.
Log
View the import logs.
Click a log to access more detailed information about the imported log.
Table 109: Fields on the Import Tenants Task Page
Field
Description
Success
View the number of times the import operations succeeded for a tenant.
Failure
View the number of times the import operations failed for a tenant.
Task ID
View the ID created for the task.
Click the task ID to view the import log details corresponding to a tenant.
Status
View the status of the task to know whether the task succeeded or failed.
Table 110: Fields on the Job Status Page for Imported Tenant Data
Field
Description
Name
View the name of the task.
User
View the name of the user who imported the task.
State
View the status of the task to know whether the task succeeded or failed.
Actual Start Time
View the start date and time of the task.
End Time
View the end date and time of the task.
Related
Documentation
•
Importing Data for Multiple Tenants on page 175
Viewing the History of Deleted Tenant Data
You can use the Delete History page to view the deleted tenant data, status of the delete
operation, and log details.
To view the history of deleted tenant data:
1.
184
Click Tenants > All Tenants > Import Tenants > Delete History.
Copyright © 2018, Juniper Networks, Inc.
Chapter 17: Managing Tenants
The Delete History page is displayed. Table 111 on page 185 describes the fields on the
Delete History page.
2. Click the task name.
The Delete Tenants Tasks page appears. Table 112 on page 185 describes the fields on
the Delete Tenants Tasks page.
3. Click the task ID in the Job Status page to view the job details, such as whether this
job succeeded or failed.
Table 113 on page 186 describes the fields on the Job Status page for deleted tenant
data.
Table 111: Fields on the Delete History Page
Field
Description
In progress
View the number of delete tasks that are in progress.
Success
View the number of delete tasks that succeeded.
Failure
View the number of delete tasks that failed.
Name
View the name of the task.
Start Date
View the start date and time of the task.
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task succeeded or failed.
Log
View the delete logs.
Click a log to access more detailed information about deleted logs.
Table 112: Fields on the Delete Tenants Tasks Page
Field
Description
Success
View the number of delete operations that succeeded for a tenant.
Failure
View the number delete operations that failed for a tenant.
Task ID
View the ID created for the task.
Click the task ID to view the delete log details corresponding to a tenant.
Status
Copyright © 2018, Juniper Networks, Inc.
View the status of the task to know whether the task succeeded or failed.
185
Contrail Service Orchestration User Guide
Table 113: Fields on the Job Status Page for Deleted Tenant Data
Field
Description
Name
View the name of the task.
User
View the name of the user who deleted the task.
State
View the status of the task to know whether the task succeeded or failed.
Actual Start Time
View the start date and time of the task.
End Time
View the end date and time of the task.
Related
Documentation
•
Importing Data for Multiple Tenants on page 175
•
Viewing the History of Imported Tenant Data on page 183
Allocating Network Services to a Tenant
Use the Tenants page to allocate the network services to a tenant. Network services are
created and saved in Network Service Designer. When setting up a tenant with
Administration Portal, you must import the network services and allocate them to
customers. After the allocation, tenants can see and activate the network services in
Customer Portal.
Before You Begin
•
Create network services in Network Service Designer. See “Configuring Network
Services” on page 481 topic.
To allocate network services:
1.
Click Tenants.
The Tenants page appears.
2. Select a customer and click Allocate Network Services.
The Assign Network Services to Tenant page appears. All network services are imported
and allocated to the customer.
3. Select the network services and click Ok.
The network services are assigned to the tenant.
Related
Documentation
186
•
About the Tenants Page on page 171
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 18
Configuring MSP Users
•
Role-Based Access Control Overview on page 187
•
About the Service Provider Users Page on page 188
•
Adding Service Provider Users on page 189
•
Editing and Deleting Service Provider Users on page 190
Role-Based Access Control Overview
Contrail Service Orchestration supports the authentication and authorization of users.
Both MSP and tenant users access the pages within the unified Administration and
Customer Portal based on their role and access permissions.
Table 114 on page 187 shows MSP and Tenant roles and their access privileges.
Table 114: Roles and Access Privileges
Role
Access Privileges
MSP Administrator
Users with the MSP Administrator role have full access to the Administration Portal UI or API
capabilities. They can use the UI or APIs to add one or more users with MSP Administrator or
MSP Operator roles, onboard tenants, and add the first tenant administrator during the onboarding
process. They can also add tenant administrators or operators by switching the scope to a specific
tenant.
MSP Operator
Users with the MSP Operator role have read-only access to the Administration Portal UI and
APIs.
Tenant Administrator
Users with the Tenant Administrator role have full access to the Customer Portal UI and APIs.
They can add one or more users with the Tenant Administrator or Tenant Operator roles.
Tenant Operator
Users with the Tenant Operator role have read-only access to the Customer Portal UI and APIs.
Related
Documentation
•
Authentication Methods Overview on page 193
Copyright © 2018, Juniper Networks, Inc.
187
Contrail Service Orchestration User Guide
About the Service Provider Users Page
To access this page, click Administration > Users.
Use this page to add, edit, and delete users for a service provider. You can also assign
roles to service provider users. To know more about MSP users roles and access
permissions, see “Role-Based Access Control Overview” on page 187.
The information listed on the Users page changes depending on the authentication
method configured:
•
Local —The Users page lists all local users that you can add, edit, and delete local users
•
Authentication with SSO Server—The Add User page does not display the password
field because you can only assign a role only to an external user.
•
Authentication and Authorization with SSO Server—The Users page is not displayed
because users are externally managed in the single sign-on (SSO) server.
Tasks You Can Perform
The MSP administrator can perform the following tasks from this page:
•
Add a service provider user. See “Adding Service Provider Users” on page 189.
•
Edit and delete a service provider user. See “Editing and Deleting Service Provider
Users” on page 190.
Field Descriptions
Table 115 on page 188 provides guidelines on using the fields on the Users page.
Table 115: Fields on the Users Page
Field
Description
Username
Username of the service provider user.
Example: xyz@example.com
First Name
First name of the service provider user.
Last Name
Last name of the service provider user.
Role
Role assigned to the service provider user.
Example: MSP Admin
Last Login
Date and time of the last login. The format is MM/DD/YYYY
HH:MIN.
Example: 07/22/2017 20:07
188
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring MSP Users
Related
Documentation
•
Adding Service Provider Users on page 189
•
Editing and Deleting Service Provider Users on page 190
Adding Service Provider Users
Use this page to add service provider users and assign roles to service provider users.
After the service provider administrator adds the user, the user account is created in the
Contrail Service Orchestration (CSO) and the user receives an e-mail with initial login
credentials.
NOTE: Users with the MSP Operator role have read-only access to the
Customer Portal and APIs and they cannot add new users.
To add a service provider user:
1.
Select Administration > Users.
The Users page appears.
2. Click the plus icon (+) or click Add User.
The Add User page appears.
3. Complete the configuration as described in Table 116 on page 189.
4. Click OK to save the changes. If you want to discard the changes, click Cancel instead.
The service provider user account is created in CSO.
Table 116: Fields on the Add User Page
Field
Description
First Name
Enter the first name as a string of alphanumeric characters and the special characters space,
underscore (_), and period (.). The maximum length is 32 characters.
Last Name
Enter the last name as a string of alphanumeric characters and the special characters space,
underscore (_), or period (.). The maximum length is 32 characters.
Username (E-mail)
Enter a valid e-mail address in the user@domain format.
Copyright © 2018, Juniper Networks, Inc.
189
Contrail Service Orchestration User Guide
Table 116: Fields on the Add User Page (continued)
Field
Description
Role
Select the role—MSP Operator (default) or MSP Administrator—that you want to assign to the user.
•
MSP Administrator—Users with the MSP Administrator role have full access to the Administration
Portal UI or API capabilities. They can use the UI or APIs to add one or more users with MSP
Administrator or MSP Operator roles, onboard tenants, and add the first tenant administrator
during the onboarding process. They can also add tenant administrators or operators by switching
the scope to a specific tenant.
•
MSP Operator—Users with the MSP Operator role have read-only access to the Administration
Portal and APIs.
NOTE: Users with the MSP Operator role cannot add, edit, and delete users.
Password
Enter a password that is 6–21 characters long, contains uppercase and lowercase letters, and at least
one number, and one special character.
Confirm Password
Reenter the password.
Related
Documentation
•
About the Service Provider Users Page on page 188
•
Editing and Deleting Service Provider Users on page 190
Editing and Deleting Service Provider Users
You can edit the information of a service provider user, and delete one or more users.
NOTE: Users with the MSP Operator role have read-only access to
Administration Portal and APIs, and they cannot edit and delete users.
•
Editing Service Provider Users on page 190
•
Deleting Service Provider Users on page 191
Editing Service Provider Users
To modify a service provider user:
1.
Select Administration > Users.
The Users page appears.
2. Select the user that you want to modify, and click the edit icon.
The Edit User page appears. The options available on the Add User page are available
for editing.
NOTE: You cannot modify the Username (E-mail) field.
190
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring MSP Users
3. Update the fields as required.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
The modified service provider user information is saved in CSO.
Deleting Service Provider Users
To delete service provide users:
1.
Select Administration > Users.
The Users page appears.
2. Select the users that you want to delete and click the delete icon (X).
The Confirm Delete page appears.
3. Click Yes to delete the user or No to cancel the deletion.
If you click Yes, then the user is deleted and the user account is removed from the
CSO.
Related
Documentation
•
About the Service Provider Users Page on page 188
•
Adding Service Provider Users on page 189
Copyright © 2018, Juniper Networks, Inc.
191
Contrail Service Orchestration User Guide
192
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 19
Configuring Authentication
•
Authentication Methods Overview on page 193
•
About the Authentication Page on page 194
•
Editing Authentication Method on page 195
•
Configuring a Single Sign-On Server on page 196
•
Editing and Deleting SSO Servers on page 198
•
Configuring SMTP Settings on page 199
Authentication Methods Overview
Contrail Service Orchestration supports single sign-on (SSO) authentication for the
unified portal. You can configure one SSO server for a service provider and another for
all its tenants.
You can authenticate and authorize users by using one of the following authentication
methods:
•
Local—User accounts are maintained locally in CSO, and users are authenticated and
authorized by CSO.
•
Authentication by using an SSO server—User accounts are maintained in the service
provider’s SSO server, but authorization information is stored in CSO. Users are
authenticated by using the credentials stored in the SSO server.
•
Authentication and authorization by using an SSO server—User accounts and user roles
are maintained in the service provider’s SSO server. Users are authenticated by the
SSO server and authorized by CSO by using Security Assertion Markup Language
(SAML) attributes.
When you log in to the unified Administration and Customer Portal, the login page is
displayed. To log in to the unified Administration and Customer Portal, enter the username
on the login page. If the username matches the username pattern configured for SSO,
then you are redirected to the SSO page. If the username does not match the username
pattern, you must enter the password.
Related
Documentation
•
About the Authentication Page on page 194
•
Editing Authentication Method on page 195
Copyright © 2018, Juniper Networks, Inc.
193
Contrail Service Orchestration User Guide
•
Configuring a Single Sign-On Server on page 196
About the Authentication Page
To access this page, click Administration > Authentication.
Use this page to configure the authentication method for service provider and tenant
users. You can also use this page to add, edit, and delete SSO servers, and modify the
authentication method. You can also configure one SSO server for a service provider and
another for all its tenants.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Edit the authentication method. See “Editing Authentication Method” on page 195.
•
Configure an SSO server. See “Configuring a Single Sign-On Server” on page 196.
•
Edit and delete an SSO server. See “Editing and Deleting SSO Servers” on page 198.
Field Descriptions
Table 117 on page 194 provides guidelines on using the fields on the Authentication page.
Table 117: Fields on the Authentication Page
Field
Description
Authentication Method
Users
View the user’s type.
Example : MSP Users or Tenant Users
Authentication Method
View the type of authentication method.
Example: Local Authentication
Username Pattern
View the username pattern.
Example: *@aaa-example.com
Single Sign-On (SSO) Servers
SSO Server
View the name of the SSO server.
Description
View the description of SSO server.
Metadata URL
View the URL of the identity provider metadata.
Example: https://aaa-example.com/saml/metadata/64000
194
Copyright © 2018, Juniper Networks, Inc.
Chapter 19: Configuring Authentication
Table 117: Fields on the Authentication Page (continued)
Field
Description
Usage
View the information about whether the SSO server is used for authenticating MSP
users or tenant users.
Example: MSP Users
Related
Documentation
•
Authentication Methods Overview on page 193
•
Configuring a Single Sign-On Server on page 196
•
Editing Authentication Method on page 195
Editing Authentication Method
Use the Authentication page to modify the authentication method for service provider
and tenant users.
To modify the authentication method:
1.
Select Administration > Authentication.
The Authentication page appears.
2. Select the user type (MSP User or Tenant User) for which you want to change the
authentication method, click the edit (pencil) icon .
The Authentication Type page appears.
3. Select any one of the authentication methods that you want to configure for the user.
•
Local Authentication
•
Authentication with SSO Server
•
Authentication and Authentication with SSO Server
4. Enter the configuration as described in Table 118 on page 195.
NOTE: If you select the Local Authentication type, the SSO Server and
Username Patterns fields are not displayed.
5. Click Save to save the changes. If you want to discard the changes, click Cancel instead.
Table 118: Fields on the Authentication Type Page
Field
Description
SSO Server
Select the SSO server name from the list.
Copyright © 2018, Juniper Networks, Inc.
195
Contrail Service Orchestration User Guide
Table 118: Fields on the Authentication Type Page (continued)
Field
Description
Username Pattern
Enter a list of username patterns separated by using a comma, space, or semicolon. For example,
*@aaa-example.com.
NOTE: If the username matches the username pattern, the user is redirected to the SSO server
to complete the authentication process. If the username does not match with any of the username
patterns, then the local authentication is assumed.
Related
Documentation
•
About the Authentication Page on page 194
•
Configuring a Single Sign-On Server on page 196
•
Editing and Deleting SSO Servers on page 198
Configuring a Single Sign-On Server
Use this page to configure a single sign-on server (SSO) that is used for authenticating
users. There are two entities involved during the SSO configuration:
•
SSO Server or Identity Provider—An external server integrated with CSO.
•
Service Provider—Acts as an SP and receives the Security Assertion Markup Language
(SAML) assertion sent by the SSO server in a response to a login request.
Both the identity provider and service provider trust each other and configuration is
required for both the entities. Two use cases are possible:
•
Identity provider is configured first before SSO server is added in CSO—The identity
provider is configured first, and the MSP administrator then adds the SSO server in
CSO, and enters the server name and metadata URL.
•
IdP is configured after SSO server is added in CSO—Enter the SSO server name and
then click the Next button. CSO provides a list of URLs to be configured in the identity
provider. After the identity provider is configured with the URLs, you can edit the SSO
server name and enter the metadata URL.
NOTE: For both the use cases, the metadata URL is required before you use
the SSO server.
To configure an SSO server:
1.
Select Administration > Authentication.
The Authentication page appears.
2. Click the plus icon (+) in the Single Sign-On Server section.
The Add Single Sign-On Server page appears.
196
Copyright © 2018, Juniper Networks, Inc.
Chapter 19: Configuring Authentication
3. Complete the configuration according to the guidelines Table 119 on page 197.
4. Click Save to save the changes. If you want to discard the changes, click Cancel instead.
5. After you configure both the SSO Server and CSO, click the Test Login button from
the Authentication page.
The SSO login page appears and shows the SAML attributes.
NOTE: You must specify the metadata URL before you click the Test Login
button. If you click the Test Login button without entering the metadata
URL, an error message indicating that the metadata URL must be specified
is displayed.
Table 119: Fields on the Single Sign-On Server Page
Field
Description
Basic Info
SSO Server Name
Specify the name of the SSO server. You can use a string of alphanumeric characters, special
characters such as the underscore (_) or the period (.), and spaces. The maximum length
is 40 characters.
Description
Enter a meaningful description for the SSO server.
Metadata URL
Enter the URL from where the application metadata needs to be downloaded.
SAML Settings
SAML URLs
CSO displays the SAML URL settings. The administrator use this information to configure
the IdP.
Single Sign-On URL
Displays the SAML Assertion Consumer Service (ACS) URL for the application.
Example: https://aaa-example.com/ssol/sso server name/SAML2/POST
Audience URI (SP Entity ID)
Displays the service provider entity ID of the application.
Example: https://aaa-example.com/Shibboleth
Metadata URL
Displays the metadata URL of the application.
Example: https://aaa-example.com/saml/metadata/64000
Download Metadata
Click this option to download metadata from the application.
The administrator can download the CSO metadata and use the metadata to configure the
identity provider instead configuring individual identity provider fields at a time.
Copyright © 2018, Juniper Networks, Inc.
197
Contrail Service Orchestration User Guide
Table 119: Fields on the Single Sign-On Server Page (continued)
Field
Description
SAML Attributes
The identity provider needs to provide the SAML attributes if the authentication method is
configured as Authentication and Authorization with SSO Server.
NOTE: No SAML attributes are required if the authentication method is configured as
Authentication with SSO Server.
tenant
This attribute is required when the Tenant User is authenticated. The value of this attribute
should match with the tenant name used when the tenant was onboarded.
NOTE: This field is not required for users with the MSP Admin and MSP Operator roles.
role
This attribute has four values. See Table 120 on page 198.
Table 120: Attribute Values and Roles
Attribute Value
Role
cloud-admin
MSP Admin
cloud-operator
MSP Operator
tenant-admin
Tenant Admin
tenant-operator
Tenant Operator
Related
Documentation
•
Editing and Deleting SSO Servers on page 198
Editing and Deleting SSO Servers
From the Administration > Authentication page, you can edit the information of an SSO
server, and delete one or more SSO servers.
•
Editing SSO Server Configuration on page 198
•
Delete SSO Server Configurations on page 199
Editing SSO Server Configuration
To edit the SSO server configuration:
1.
Select Administration > Authentication.
The Authentication page appears.
2. From the Single Sign-On (SSO) Servers section, select the check box of the SSO
server name that you want to modify, and click the edit icon.
198
Copyright © 2018, Juniper Networks, Inc.
Chapter 19: Configuring Authentication
The Edit Single Sign-On page appears. The options available on the Add Single Sign-On
Server page are available for editing.
3. Update the configuration as needed.
4. Click Next to save the changes. If you want to discard your changes, click Cancel
instead.
Delete SSO Server Configurations
Use the delete icon (X) at the top right corner of a page to delete one or more SSO servers.
To delete the SSO server configuration:
1.
Select Administration > Authentication.
The Authentication page appears.
2. Select the SSO server name that you want to delete and click the delete icon (X).
The Confirm Delete page appears.
3. Click Yes to delete the SSO server or No to cancel the deletion.
If you click Yes, then the SSO server is deleted. After an SSO server is deleted, you
cannot use that SSO server for authenticate or authorize users.
Related
Documentation
•
About the Authentication Page on page 194
•
Configuring a Single Sign-On Server on page 196
Configuring SMTP Settings
Use this page to configure an SMTP e-mail server. After you log in to the unified
Administration or Customer portal for the first time, you must configure the SMTP settings
for your deployment.
To configure SMTP settings:
1.
Click Administration > SMTP.
The SMTP page appears.
2. Specify the SMTP settings that you want to configure to user for the mail server. See
Table 121 on page 200.
3. Click Save.
The status of the save operation is displayed.
Copyright © 2018, Juniper Networks, Inc.
199
Contrail Service Orchestration User Guide
Table 121: SMTP Settings
Field
Description
Server Address
Specify the hostname for the SMTP e-mail server.
TLS
Enable this option to protect the transmission of the content of e-mail messages. This setting
ensures that the information will be transmitted over an encrypted channel.
Port Number
Specify the port number to use for the mail server. Check with your e-mail service provider for
this port number. Generally, the port number 587 is used for a Transport Layer Security (TLS)
connection and the port number 25 is used for unencrypted connections.
SMTP Authentication
Use this option if the e-mail server requires authentication.
The Username and Password fields are displayed when you enable this option.
Disable this option if you want to configure an unauthenticated e-mail server.
The From Name and From E-Mail Address fields are displayed when you disable this option.
Username
Enter a username for the SMTP server.
Password
Enter a password for the SMTP server.
From Name
Enter your username.
Example: John Doe
From E-Mail Address
Related
Documentation
200
Enter your e-mail address.
•
Authentication Methods Overview on page 193
•
About the Authentication Page on page 194
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 20
Configuring Licenses
•
About the Licenses Page on page 201
•
Uploading a License File on page 202
About the Licenses Page
To access this page, click Administration > Licenses.
You can use the Licenses page to upload licenses for virtual network services from your
local file system and deploy them on VIMs at selected POPs and sites. See “Device Images
Overview” on page 127. The license key is required to enable application-based routing,
application monitoring, and other vSRX security features.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Upload Licenses. See “Uploading a License File” on page 202.
•
View details about a VNF Image. Click the details icon that appears when you hover
over the name of an image or click More > Details. See “Viewing Object Details” on
page 14.
•
Show or hide columns about the VNF. See “Sorting Objects” on page 15.
•
Search an object about the VNF. See “Searching for Text in an Object Data Table” on
page 15.
Field Descriptions
Table 122 on page 201 describes the fields on the License Files page.
Table 122: Fields on the License Files Page
Field
Description
License Name
View the filename of the license.
Example: license_Image_v1
Copyright © 2018, Juniper Networks, Inc.
201
Contrail Service Orchestration User Guide
Table 122: Fields on the License Files Page (continued)
Field
Description
Build
View the build name of the license.
Example: 1
Version
View the version number of the license.
Example: 1.1
Vendor
View the vendor name of the license.
Example: Juniper Networks
Family
Select the device family of the license.
Example: SRX
Model
View the model number of the license.
Example: 1
Description
View the description of the license.
Example: The license is applicable for SRX340 device.
Uploaded By
View the administrator who uploaded the license.
Example: test_admin
Last Uploaded
View the date and time when the license was uploaded.
Example: 11/18/2016 19:15
Related
Documentation
•
Uploading a License File on page 202
Uploading a License File
To upload a license file:
1.
Click Administration > Licenses.
The License Files page appears.
2. Click the plus icon (+).
The Upload License File page appears.
3. Complete the configuration settings according to the guidelines provided in
Table 123 on page 203.
202
Copyright © 2018, Juniper Networks, Inc.
Chapter 20: Configuring Licenses
4. Click Upload. If you want to discard the upload image process, click Cancel instead.
The color-coded License Loaded option indicates that the license was uploaded
successfully.
5. Click OK to save the changes.
You are returned to the License Files page.
Table 123 on page 203 provides guidelines on using the fields on the Upload License File
page.
Table 123: Fields on the Upload License File page
Field
Description
Name
Specify the name of the license file.
Example: vsrx-license-15.1.qcow2
Image Type
Select the type of software image from the list.
Example: SRX License
Description
Specify a description of the license file.
File Location
Click Browse to navigate to the file location in your local system and select the license
to upload to the virtual network service.
Vendor
Select the vendor name of the license.
Example: Juniper Networks
Family
Select the device family of the license.
Example: SRX
Supported Platform
Specify the platform supported by the license.
Example: SRX340.
Major Version Number
Specify the major version number of the license.
Example: 1.1.1
Minor Version Number
Specify the minor version number of the license.
Example: 1
Build Name
Specify the build name of the license.
Example: 1
Copyright © 2018, Juniper Networks, Inc.
203
Contrail Service Orchestration User Guide
Related
Documentation
204
•
About the Licenses Page on page 201
•
Device Images Overview on page 127
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 21
Managing Signature Database
•
Signature Database Overview on page 205
•
About the Active Database Page on page 206
•
Scheduling Signature Downloads on page 207
•
Installing Signatures on page 208
Signature Database Overview
The Application Firewall signature database includes signature definitions of attacks
and applications that can be used to identify applications for tracking firewall policies
and quality-of-service (QoS) prioritization.
Contrail Service Orchestration (CSO) enables you to download the signature database.
During a download, the complete signature database is downloaded, and the download
might take some time to complete. You can track the progress of the download by using
job details.
All of the downloaded signatures are created as a default project in read-only mode. The
configurations that are downloaded are also saved as a default project.
Related
Documentation
•
About the Active Database Page on page 206
•
Scheduling Signature Downloads on page 207
•
Installing Signatures on page 208
Copyright © 2018, Juniper Networks, Inc.
205
Contrail Service Orchestration User Guide
About the Active Database Page
To access this page, select Administration > Signature Database. The Active Database
page appears.
Use the Active Database page to download and install the Application Firewall signature
database to security devices. This database includes signature definitions of attacks and
applications that can be used to identify applications for tracking firewall policies,
SD-WAN flows, and QoS prioritization.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Schedule signature downloads. See “Scheduling Signature Downloads” on page 207.
•
Install signatures. See “Installing Signatures” on page 208.
Field Descriptions
The Active Database page provides an overall, high-level view of your signature database
settings. The Latest List of Signatures table provides a search option that you can use to
search for the signature you want. Table 124 on page 206 describes the fields on this page.
Table 124: Fields on the Active Database Page
Field
Description
Active Database
Database Version
Version of signature database.
Publish Date
Date when the signature database was published.
Update Job
Job ID of the last successful download signatures job.
Installed Device Count
Number of devices installed.
Detectors
Version number of the protocol detector currently running on the device.
Action
Install signature database configuration.
Latest List of Signatures
Database Version
Version of latest signature database.
Publish Date
Date when the signature database was published.
Update Summary
List of updated signature details for the selected database.
Detectors
Version number of the protocol detector currently running on the device.
206
Copyright © 2018, Juniper Networks, Inc.
Chapter 21: Managing Signature Database
Table 124: Fields on the Active Database Page (continued)
Field
Description
Action
Full Download–Download the complete signature database; the download might
take a while to complete.
Related
Documentation
•
Signature Database Overview on page 205
•
Scheduling Signature Downloads on page 207
•
Installing Signatures on page 208
Scheduling Signature Downloads
Use this page to schedule a full download of the signature database. During a full
download, the complete signature database is downloaded; the download might take
some amount of time.
To download the signature database:
1.
Select Administration > Signature Database.
The Active Database page appears.
2. Click Schedule Signature Download.
The Schedule Signature Download page appears.
3. Select Run now to automatically download the signature database immediately.
4. Select Schedule at a later time to set the signature database to automatically download
at the specified date and time and to take the following actions:
a. Choose a date by clicking the date picker icon.
b. Enter the time.
c. Select the time format from the drop-down list.
5. Click OK.
Related
Documentation
•
Signature Database Overview on page 205
•
About the Active Database Page on page 206
•
Installing Signatures on page 208
Copyright © 2018, Juniper Networks, Inc.
207
Contrail Service Orchestration User Guide
Installing Signatures
After the signature database is downloaded, you can install the active database.
NOTE: You must install the application identification license before installing
the signature database. For the installation procedure, refer to the Known
Behavior section of the Cloud CPE Solution Release Notes (available at
https://www.juniper.net/documentation/en_US/release-independent/nfv/information-products/pathway-pages/index.html).
To install the signature database:
1.
Select Administration > Signature Database.
2. Click Install Signatures.
The Install Signatures page appears.
3. You can view the summary of active signature database version, which will be installed
on your device.
4. Click the check box next to the devices on which you want to install the signature
database.
You can also search, sort, or filter this information.
5. Select Run now to set the signature database to automatically install immediately.
6. Select Schedule at a later time to set the signature database to automatically download
at the specified time and to take the following actions:
a. Choose a date by clicking the date picker icon.
b. Enter the time.
c. Select the time format from the drop-down list.
7. Click OK.
The signature database installation is complete.
Related
Documentation
208
•
Signature Database Overview on page 205
•
About the Active Database Page on page 206
•
Scheduling Signature Downloads on page 207
Copyright © 2018, Juniper Networks, Inc.
PART 2
Customer Portal
•
Introduction on page 211
•
Using the Dashboard on page 219
•
Managing Objects on page 223
•
Monitoring Tenants, Sites, and Services on page 225
•
Monitoring Security Alerts and Alarms on page 231
•
Monitoring Security and Device Events on page 237
•
Monitoring SD-WAN Events on page 261
•
Monitoring Applications on page 265
•
Monitoring Jobs on page 279
•
Managing Devices on page 283
•
Managing Device Images on page 287
•
Managing Network Services on page 291
•
Managing Firewall Policies on page 307
•
Managing SD-WAN on page 329
•
Managing NAT Policies on page 343
•
Managing Shared Objects on page 353
•
Managing Deployments on page 377
•
Managing Sites on page 383
•
Managing Site Groups on page 399
•
Reports on page 401
•
Managing Tenant Users on page 411
•
Licenses on page 417
•
Signature Database on page 419
Copyright © 2018, Juniper Networks, Inc.
209
Contrail Service Orchestration User Guide
210
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 22
Introduction
•
Unified Administration and Customer Portal Overview on page 211
•
Customer Portal Overview on page 212
•
Switching the Tenant Scope on page 213
•
Accessing Customer Portal on page 213
•
Setting Up Your Network with Customer Portal on page 214
•
Changing the Password on First Login on page 215
•
Changing the Customer Portal Password on page 216
•
Resetting the Password on page 217
•
Extending the User Login Session on page 218
Unified Administration and Customer Portal Overview
Contrail Service Orchestration supports a unified portal for both service provider users
and tenant users and for the services managed and consumed by the administrators and
tenants.
The unified portal contains the features of vCPE, uCPE, and SD-WAN for both
Administration and Customer portals; enforces role-based access control (RBAC), which
prevents tenants from accessing administrator data; and supports different backend
authentication methods for service provider users and tenant users.
The unified portal enable service providers to deploy Juniper Networks security features
as a virtualized network function (VNF) function either in distributed or centralized mode
or in the branch SRX Series device. This VNF provides advanced firewall and Network
Address Translation (NAT) management capabilities to end users from a single pane of
glass (SPOG) user interface, in a multitenant environment. This integrated user experience
can leverage the rich features or functionality supported in the Security Director
application. Service provider administrators are able to manage all phases of the security
policy life cycle more quickly and intuitively, from policy creation through deployment.
Firewall and NAT management features include policy configuration such as rule analysis,
rule reordering, event viewer for firewall and NAT events, alerts and alarms, logs and
dashboard widgets. All features have RBAC enforced, which enables either the MSP
administrator or the tenant administrator to configure policies for the tenant.
Copyright © 2018, Juniper Networks, Inc.
211
Contrail Service Orchestration User Guide
In addition to security management, the unified portal provides capabilities such as bulk
image upgrade, chassis view, configuration backup, and reboot. The unified portal also
provides SD-WAN capabilities with integrated firewall, NAT management, and device
management.
Related
Documentation
•
Customer Portal Overview on page 212
•
Switching the Tenant Scope on page 213
•
Firewall Policy Overview on page 307
•
SLA Profiles and SD-WAN Policies Overview on page 329
•
NAT Policies Overview on page 343
Customer Portal Overview
You use Customer Portal to activate and manage sites, customer premises equipment
(CPE) devices, and network services in your network. Your service provider sets up the
network topology, assigns network services to you, and provides initial login credentials
for Customer Portal. You can change your password through Customer Portal after you
log in for the first time.
Your network uses one of the following deployment topologies:
•
A centralized deployment
In a centralized deployment, virtualized network functions (VNFs) reside in a service
provider’s cloud in a network point of presence (POP). Sites that access network
services in this way are called cloud sites in this documentation.
•
A distributed deployment
In the distributed deployment, VNFs reside on a CPE device located at a customer’s
site. These sites are called on-premise sites in this documentation.
•
A combined centralized and distributed deployment
In this deployment, your network contains both cloud sites and on-premise sites. VNFs
for a cloud site reside in the service provider’s cloud and VNFs for an on-premise sites
reside on the CPE device.
Each connection for a cloud site and each on-premise site can support one network
service, although use of a network service on any connection or device is optional.
NOTE: NFX250 devices activate automatically when you power them up
and configure basic connectivity settings, and you do not need to activate
these devices through Customer Portal. See the NFX250 documentation at:
http://www.juniper.net/documentation/en_US/release-independent/junos/
information-products/pathway-pages/nfx-series/product/
212
Copyright © 2018, Juniper Networks, Inc.
Chapter 22: Introduction
Related
Documentation
•
Accessing Customer Portal on page 213
•
Changing the Customer Portal Password on page 216
Switching the Tenant Scope
Administration Portal users can change the tenant scope from all tenants to a specific
tenant by using the tenant switcher displayed on the banner.
When you switch scope from all tenants to a specific tenant, the menu and pages
displayed are almost the same as those displayed for Customer Portal users, with some
additional actions visible to the Administration Portal users. When you switch back to
the All Tenants scope, the menu and pages for the Administration Portal are displayed.
To switch from one scope to another:
•
Related
Documentation
From the top right corner of the page, select the All Tenants scope to access
Administration Portal or select a specific tenant (for example, aaa) to access Customer
Portal. The menu and pages for Administration Portal or Customer Portal are displayed
based on the scope selected from the drop-down list.
•
Unified Administration and Customer Portal Overview on page 211
•
Role-Based Access Control Overview on page 411
Accessing Customer Portal
To start Customer Portal:
1.
Obtain the following information from your service provider:
•
IP address for the Customer Portal host.
•
Login credentials:
•
Username
•
Password
2. Using a Web browser, access the URL for Customer Portal.
For example, if the IP address of the host on which Customer Portal resides is 192.0.2.1,
the URL is https://192.0.2.1.
NOTE: We recommend that you use Google Chrome Version 60 or later
to access the Contrail Service Orchestration (CSO) GUIs.
3. Log in with the credentials provided.
Copyright © 2018, Juniper Networks, Inc.
213
Contrail Service Orchestration User Guide
The Customer Portal Dashboard page appears and you can now start to activate
sites.
From CSO Release 3.1 onward, the customer portal functionality has been enhanced
to provide a richer user experience. The menu bar on the left-hand side of the every
page allows you to access the different tasks easily. The top-level menu items are
listed in Table 125 on page 214.
Table 125: Customer Portal Menu
Menu Name
Description
Dashboard
Configurable dashboard that offers you a customized view of network services through its
widgets
Monitor
Monitor alerts and alarms, security, device, and software-defined WAN (SD-WAN) events;
applications and jobs
Resources
Device and software image management
Configuration
Configure network services, shared objects, and policies (firewall, NAT, SD-WAN), and view
and manage configuration deployments
Sites
Manage sites and site groups
Reports
Create report definitions and view reports
Administration
Manage users, licenses, and the signature database
Related
Documentation
•
Changing the Customer Portal Password on page 216
•
Customer Portal Overview on page 212
Setting Up Your Network with Customer Portal
Your service provider specifies which sites appear in your network and the network services
that you can use. When you start working in Customer Portal, you must set up your
network using the available sites and network services.
To set up your network with Customer Portal:
1.
You can add an on-premise site from the Sites page. Two types of on-premise sites
can be added: spoke site and on-premise hub. See“Creating On-Premise Sites” on
page 384.
2. Activate the on-premise site. See “Configuring a Site” on page 395.
3. Deploy network services. See “Managing a Single Site” on page 389.
4. View and manage policies.
214
Copyright © 2018, Juniper Networks, Inc.
Chapter 22: Introduction
Related
Documentation
•
•
View and manage a firewall policy. See “Creating Firewall Policy Intents” on page 312
and “Deploying Policies” on page 380.
•
View and manage an SD-WAN policy. See “Creating SLA Profiles” on page 339,
“Creating SD-WAN Policy Intents” on page 333, and “Deploying Policies” on page 380.
Accessing Customer Portal on page 213
Changing the Password on First Login
To enhance the security related to login credentials, you are prompted to change the
password when you login to the portal for the first time.
To change the password when you log in for the first time:
1.
Log in to the portal with the default login credentials.
The Change Password page appears with a message that you must change your
password for security purposes.
NOTE: The Change Password page appears only if you are logging in to
the portal for the first time.
2. Change your password following the guidelines provided in Table 126 on page 215.
3. Click Ok.
NOTE: It is mandatory to change the login password when you log in to
the portal for the first time. If you click Cancel, you are redirected to the
login page.
The login password is changed and you are logged out of the system. To log in to the
portal again, you must use your new password.
Table 126: Fields on the Change Password Page
Field
Description
New Password
Enter your new password.
The login password that you set must be between 6 and 21 characters long, and it must include at
least one lowercase letter, one uppercase letter, one special character, and one number.
NOTE: The password strength indicator displays the efficiency of the password that you enter. You
cannot proceed to the next step if the password strength indicator shows that the password is
weak.
Copyright © 2018, Juniper Networks, Inc.
215
Contrail Service Orchestration User Guide
Table 126: Fields on the Change Password Page (continued)
Field
Description
Confirm Password
Reenter the password for confirmation.
You can select Show Password to view the password.
Related
Documentation
•
Accessing Customer Portal on page 213
•
Changing the Customer Portal Password on page 216
•
Resetting the Password on page 217
Changing the Customer Portal Password
To change the Customer Portal password:
1.
Click the customer username that is located at the right side of the Customer Portal
banner.
The drop-down list appears.
2. Click Change Password.
The Change Password page appears.
3. Specify the current password.
4. In the New Password text box, specify your new password.
The login password that you set must conform to a particular set of requirements
such as minimum length of 6 characters, a maximum length of 21 characters, and that
includes at least one lowercase letter, one uppercase letter, an alpha-numeric
character, and a numeric character.
5. In the Confirm Password text box, specify your new password again.
Select the Show Password option to view the password.
6. Click OK.
You are logged out of the system. To log in to Customer Portal again, you must use
your new password. Other sessions logged in with the same username are unaffected
until the next login.
Related
Documentation
216
•
Customer Portal Overview on page 212
•
Accessing Customer Portal on page 213
Copyright © 2018, Juniper Networks, Inc.
Chapter 22: Introduction
Resetting the Password
If you have forgotten your password, you can reset the password from the login screen.
NOTE: Your account is locked after five consecutive unsuccessful login
attempts.
To reset the password:
1.
On the login page, click the Forgot Password link.
The Forgot Password page appears, with a message that an e-mail notification with
a verification code is sent to your e-mail address.
NOTE: The Forgot Password link appears only after you specify the
username.
2. In Verification Code, specify the verification code that you have received through an
e-mail.
NOTE: The verification code expires after a time duration of 15 minutes.
3. Click OK.
The Reset Password page appears.
4. Change your password following the guidelines provided in Table 127 on page 217.
5. Click OK.
Your password is reset.
Table 127: Fields on the Reset Password Page
Field
Description
Username
Enter your username.
Copyright © 2018, Juniper Networks, Inc.
217
Contrail Service Orchestration User Guide
Table 127: Fields on the Reset Password Page (continued)
Field
Description
New Password
Enter your new password.
The login password that you set must be between 6 and 21 characters long, and it must include
at least one lowercase letter, one uppercase letter, one special character, and one number.
NOTE: The password strength indicator displays the efficiency of the password that you enter.
You cannot proceed to the next step if the password strength indicator shows that the password
is weak.
Confirm Password
Reenter the password for confirmation.
You can select Show Password to view the password.
Related
Documentation
•
Accessing Customer Portal on page 213
•
Changing the Password on First Login on page 215
•
Changing the Customer Portal Password on page 216
Extending the User Login Session
In the unified portal, a login session expires in 60 minutes. After 55 minutes, the Extend
Session page is displayed and, prompting you to enter your password. You must enter
your password to extend the session. The Extend Session page is displayed when the
Local authentication method is configured.
If you have logged in to the portal with SSO authentication, the Extend Session page is
displayed and you can authenticate with the external SSO server. However, the SSO
expiration is not under the control of CSO and the following can happen:
•
If the external SSO session is expired, you will be authenticated in the Extend Session
page. After successful authentication, the Extend Session page is closed automatically.
•
If the external SSO session is not expired, the Extend Session page is closed
automatically.
To extend the login session:
1.
On the Extend Session page, enter your password in the Password field. If you want
to end your session and exit from the portal, click Cancel instead and you are redirected
to the Login page.
2. Click OK.
The success message Your Session has been successfully extended is displayed.
Related
Documentation
218
•
Changing the Customer Portal Password on page 216
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 23
Using the Dashboard
•
About the Customer Portal Dashboard on page 219
About the Customer Portal Dashboard
To access the dashboard, select Customer Portal > Dashboard.
Each time you log in to Customer Portal, the first thing you see is a user-configurable
dashboard that offers you a customized view of network services through its widgets.
You can drag these widgets from the top of the dashboard to your workspace, where
you can add, remove, and rearrange them to meet your needs.
The dashboard automatically adjusts the placement of the widgets to dynamically fit
on your browser window without changing their order. You can manually reorder the
widgets by using the drag and drop option. In addition, you can press and hold the top
portion of the widget to move it to a new location.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Customize the dashboard by adding, removing, and rearranging the widgets on a per
user basis.
•
Update the dashboard or an individual widget by clicking the refresh icon.
•
Show or hide widget thumbnails by clicking Select Widgets at the top of the page.
•
Add a widget to the dashboard by dragging the widget from the palette or thumbnail
container into the workspace.
•
Delete a widget from the dashboard page by clicking the delete icon (X) in the title
bar.
Field Descriptions
You can quickly view important data by using the widgets at the top of your dashboard.
Table 128 on page 220 describes the dashboard widgets.
Copyright © 2018, Juniper Networks, Inc.
219
Contrail Service Orchestration User Guide
Table 128: Widgets on the Customer Portal Dashboard
Widget
Description
Alerts Donut Chart
View the total number of alerts grouped by severity level.
Click each alert name to view the total number of tenant sites receiving alerts that are
critical, major, or minor.
Top 5 Sites with Alerts
Top Sites not meeting SLA
View the top five tenant sites receiving alerts.
•
Name—Name of the tenant site.
•
Location—Location of the tenant site.
•
Status—Type of alerts received: critical, major, or minor.
View a bar chart of the top tenant sites that did not meet SLA requirements and the
percentage of time that SLA requirements were not met.
Sort the information based on profile and period ranging from the last hour to the last
month.
Top Profiles not meeting SLA
View a bar chart of the top SLA profiles that did not meet SLA requirements and the
percentage of time that SLA requirements were not met.
Sort the information based on location and period ranging from the last hour to the last
month.
Top Sites Switching Links
View a column chart of the top sites in the tenant that switched WAN links to meet SLA
requirements and the number of link-switch events for the sites.
Sort the information based on profile and period ranging from the last hour to the last
month.
Top Profiles Switching Links
View a column chart of the top SLA profiles that switched WAN links and the number of
link-switch events for the SLA profiles.
Sort the information based on location and period ranging from the last hour to the last
month.
Top Applications by Throughput
View a bar chart of the top sites in the tenant that did not meet SLA requirements and the
percentage of time that SLA requirements were not met.
Sort the information based on profile, location, and time period.
Firewall: Top Denials
View a column chart of the top requests denied by the firewall based on their source IP
addresses, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
Firewall: Top Events
View a bar chart of the top firewall events of the network traffic, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
IPS: Top Events
View the top IPS events of the network traffic, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
220
Copyright © 2018, Juniper Networks, Inc.
Chapter 23: Using the Dashboard
Table 128: Widgets on the Customer Portal Dashboard (continued)
Widget
Description
Applications: Most Sessions
View a bar chart of the top applications with a maximum number of sessions, sorted by
count.
Sort the information based on time period ranging from 5 minutes to 7 days.
IP: Top Destinations
View the top IP destination addresses of the network traffic, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
IP: Top Sources
View the top IP source addresses of the network traffic, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
IP: Top Spams by Source IPs
View the number of spams detected by the source IPs.
Sort the information based on time period ranging from 5 minutes to 7 days.
Virus: Top Blocked
View viruses with the maximum number of blocks, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
Web Filtering: Top Blocked
Websites
View a bar chart of websites with the maximum number of blocks, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
IP: Top Source IPs by Volume
View the top source IP addresses based on volume of traffic, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
Application: Top Application by
Volume
View the applications based on volume of traffic, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
IP: Top Users/IP by Sessions
View the top source IP addresses by sessions, sorted by count.
Sort the information based on time period ranging from 5 minutes to 7 days.
Threat Map: Virus
View a world map showing total virus event count across countries.
Sort the information based on source, destination, and time period ranging from 5 minutes
to 7 days.
Threat Map: IPS
World map showing total IPS event count across countries.
Sort the information based on source, destination, and time period ranging from 5 minutes
to 7 days.
Related
Documentation
•
Customer Portal Overview on page 212
Copyright © 2018, Juniper Networks, Inc.
221
Contrail Service Orchestration User Guide
222
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 24
Managing Objects
•
Sorting Objects on page 223
•
Viewing Object Details on page 223
•
Searching for Text in an Object Data Table on page 224
Sorting Objects
You can use the Show Hide Columns icon in the top right corner of a page to show or hide
objects on a page. You can also sort the objects in a page by clicking the object column.
The following options are available for sorting the objects:
•
Sort text in alphabetical order.
•
Sort numbers in ascending or descending order.
•
Sort by date or time.
•
Rearrange columns in a table.
•
Increase or decrease column width.
To show or hide an object:
1.
Click the Show Hide Columns icon.
The objects that are relevant to the page are displayed. By default all objects are
selected and displayed on the page.
2. Select the objects that need to be displayed on the page and clear the objects that
are not required to be displayed.
The objects are displayed or hidden as per the selection.
Related
Documentation
•
Searching for Text in an Object Data Table on page 224
Viewing Object Details
You can use the Detailed View page to view all the configured parameters of an object.
Only some of the configured parameters appear in the list of features on the main page.
Copyright © 2018, Juniper Networks, Inc.
223
Contrail Service Orchestration User Guide
To view details for an object:
•
Right-click the object that you want to see the detailed view for and click Quick View,
or select the object and click More > Details.
•
Alternatively, hover over the object name and click the Detailed View icon that appears
before it.
The Detailed View page appears showing the configuration information. See the relevant
About the Objects Page topic for a description of the fields on these pages.
Related
Documentation
•
Sorting Objects on page 223
Searching for Text in an Object Data Table
You can use the search icon in the top right corner of a page to search for text containing
letters and special characters on that page.
To search for text:
1.
Enter partial text or full text of the keyword in the search bar and click the search icon.
The search results are displayed.
2. Click X next to a search keyword or click Clear All to clear the search results.
Related
Documentation
224
•
Sorting Objects on page 223
•
Viewing Object Details on page 223
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 25
Monitoring Tenants, Sites, and Services
•
About the Monitor Overview Page on page 225
•
About the Monitor Tenants Page on page 226
•
About the Monitor Sites Page on page 228
•
About the Monitor Services Page on page 229
About the Monitor Overview Page
To access this page, click Monitor > Overview.
You can use the Monitor Overview page to view information about the alarms and alerts
for tenants, network services, connections, and sites on a geographical map. The network
operator views the alarms and alerts, and then takes the necessary actions to resolve
the issues.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View on-premise spoke site details.
•
View on-premise hub site details.
•
View cloud sites.
•
View multiple sites.
Field Descriptions
Table 129 on page 225 shows the descriptions of the fields on the Monitor Overview page.
Table 129: Fields on the Monitor Overview Page
Field
Description
POPs
View the POP in which the site is located.
Click the POPs drop-down list and select POP Name. Enter the name of the POP.
Copyright © 2018, Juniper Networks, Inc.
225
Contrail Service Orchestration User Guide
Table 129: Fields on the Monitor Overview Page (continued)
Field
Description
Sites
View the sites at which the service is deployed.
Click the Sites drop-down list and enter the name of the site.
Connections
View the connections in the network.
Click the Connections drop-down list and select Show connections.
Only the node with
alerts
View the nodes with issues with the service.
Click the drop-down list located next to the Only the nodes with alerts check box and select the type of
alerts.
•
Critical—Issues that prevent the node from working and require action from the operator. The nodes
with critical alerts are displayed in red.
•
Major—Issues that prevent the node from working at this time, but they do not require action from
the operator. The nodes with major alerts are displayed in orange.
•
Minor—Issues that allow a node to continue working, but not optimally. The network operator may
need to take action to resolve the issue. The nodes with minor alerts are displayed in yellow.
NOTE: The nodes without any alerts are displayed in blue.
Related
Documentation
•
About the Monitor Tenants Page on page 226
•
About the Monitor Sites Page on page 228
•
About the Monitor Services Page on page 229
About the Monitor Tenants Page
To access this page, click Monitor > Alarms & Alerts > Tenants.
You can use the Monitor Tenants page to view information about the alarms and alerts
for the tenants. The network operator views the alarms and alerts related to the tenants
and takes the necessary action to resolve the issues.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a tenant. Click the details icon for the tenant. See “Viewing Object
Details” on page 223.
•
Show or hide columns about the tenant on the Tenants page. See “Sorting Objects”
on page 223.
Field Descriptions
Table 130 on page 227 shows the descriptions of the fields on the Monitor Tenants page.
226
Copyright © 2018, Juniper Networks, Inc.
Chapter 25: Monitoring Tenants, Sites, and Services
Table 131 on page 227 shows the descriptions of the fields on the Tenant Alert Detail page.
Table 130: Fields on the Monitor Tenants Page
Field
Description
Tenant
View the name of the tenant.
Click the tenant name to view more details about the tenant alert.
Critical Alert Count
View the total number of critical alerts for the tenant. Critical issues prevent the tenant from
working and require action from the operator.
Major Alert Count
View the total number of major alerts for the tenant. Major issues prevent the tenant from
working at that point of time, but they do not require action from the operator.
Minor Alert Count
View the total number of minor alerts for the tenant. Minor issues allow a tenant to continue
working, but not optimally. The network operator may need to take action to resolve the issue.
Table 131: Fields on the Tenant Alert Detail Page
Field
Description
Alert Name
View the alert name.
Alert Type
View the alert type.
Severity
View the severity type of the alert. The available options are major, minor, and
critical.
Object Type
View the object type.
Region
View the region of alert.
Alert Count
View the total number of alerts for the tenant.
Description
View the description of the alert.
Start Time
View the start time of the alert.
Last Updated
View the date and time when the alert was last updated.
Related
Documentation
•
About the Monitor Overview Page on page 225
•
About the Monitor Sites Page on page 228
•
About the Monitor Services Page on page 229
Copyright © 2018, Juniper Networks, Inc.
227
Contrail Service Orchestration User Guide
About the Monitor Sites Page
To access this page, click Monitor > Alarms & Alerts > Sites.
You can use the Monitor Sites page to view information about the alarms and alerts for
the tenant sites. The network operator views the alarms and alerts related to the tenant
sites and takes the necessary actions to resolve the issues.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a tenant site. Click the details icon for the tenant site. See “Viewing
Object Details” on page 223.
•
Show or hide columns about the tenant site on the CPEs page. See “Sorting Objects”
on page 223.
Field Descriptions
Table 132 on page 228 shows the descriptions of the fields on the Monitor Sites page.
Table 133 on page 228 shows the descriptions of the fields on the Sites Alert Detail page.
Table 132: Fields on the Monitor Sites Page
Field
Description
Site
View the name of the site.
Click the site name to view more details about the site alert.
Tenant
View the name of the tenant.
Location
View the location of the site.
Critical Alert Count
View the total number of critical alerts for the site. Critical issues prevent the site from working
and require action from the operator.
Major Alert Count
View the total number of major alerts for the site. Major issues prevent the site from working
at that point of time, but they do not require action from the operator.
Minor Alert Count
View the total number of minor alerts for the site. Minor issues allow a site to continue working,
but not optimally. The network operator may need to take action to resolve the issue.
Table 133: Fields on the Sites Alert Detail Page
Field
Description
Alert Name
View the alert name.
Alert Type
View the alert type.
228
Copyright © 2018, Juniper Networks, Inc.
Chapter 25: Monitoring Tenants, Sites, and Services
Table 133: Fields on the Sites Alert Detail Page (continued)
Field
Description
Severity
View the severity type of the alert. The available options are major, minor, and
critical.
Object Type
View the object type.
Region
View the region of alert.
Alert Count
View the total number of alerts for the site.
Description
View the description of the alert.
Start Time
View the start time of the alert.
Last Updated
View the date and time when the alert was last updated.
Related
Documentation
•
About the Monitor Overview Page on page 225
•
About the Monitor Tenants Page on page 226
•
About the Monitor Services Page on page 229
About the Monitor Services Page
To access this page, click Monitor > Alarms & Alerts > Services.
You can use the Monitor Sites page to view information about the alarms and alerts for
the network services. The network operator views the alarms and alerts related to the
network service and takes the necessary actions to resolve the issues.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a network service. Click the details icon for the network service. See
“Viewing Object Details” on page 223.
•
Show or hide columns about the network service on the Network Services page. See
“Sorting Objects” on page 223.
Field Descriptions
Table 134 on page 230 shows the descriptions of the fields on the Monitor Services page.
Table 135 on page 230 shows the descriptions of the fields on the Services Alert Detail
page.
Copyright © 2018, Juniper Networks, Inc.
229
Contrail Service Orchestration User Guide
Table 134: Fields on the Monitor Services Page
Field
Description
Service
View the name of the network service.
Click the network service name to view more details about the site alert.
Service Profile
View the name of the network service profile.
Critical Alert Count
View the total number of critical alerts for the network service. Critical issues prevent the
service from working and require action from the operator.
Major Alert Count
View the total number of major alerts for the network service. Major issues prevent the service
from working at that point of time, but they do not require action from the operator.
Minor Alert Count
View the total number of minor alerts for the network service. Minor issues allow a service to
continue working, but not optimally. The network operator may need to take action to resolve
the issue.
Table 135: Fields on the Services Alert Detail Page
Field
Description
Alert Name
View the alert name.
Alert Type
View the alert type.
Severity
View the severity type of the alert. The available options are major, minor, and
critical.
Object Type
View the object type.
Region
View the region of alert.
Alert Count
View the total number of alerts for the site.
Description
View the description of the alert.
Start Time
View the start time of the alert.
Last Updated
View the date and time when the alert was last updated.
Related
Documentation
230
•
About the Monitor Overview Page on page 225
•
About the Monitor Tenants Page on page 226
•
About the Monitor Sites Page on page 228
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 26
Monitoring Security Alerts and Alarms
•
Security Alerts Overview on page 231
•
About the Generated Alerts Page on page 232
•
About the Security Alerts Definitions Page on page 233
•
Creating Security Alert Definitions on page 234
•
Editing and Deleting Security Alert Definitions on page 235
•
Cloning Security Alert Definitions on page 236
Security Alerts Overview
Alerts and notifications are used to notify administrators about significant events within
the system. Notifications can also be sent through e-mail. You will be notified when a
predefined network traffic condition is met. The alert trigger threshold is the number of
network traffic events crossing a predefined threshold within a period of time.
Alerts and notifications provide options for:
•
Defining alert criteria based on a set of predefined filters. You can use the filters defined
in the advanced search to create an alert. You can also save filters and add them to
security alert definitions. See “Creating Security Alert Definitions” on page 234 for using
data criteria from filters.
•
Generating an alert message and notifying you when alert criteria are met.
•
Searching for specific alerts on the Generated Alerts page based on alert ID, description,
or alert type.
•
Supporting event-based alerts.
For example, If you are an administrator, you can define a condition such that if the
number of firewall-deny events crosses a predefined threshold in a given time range for
a specific device, you will receive an e-mail alert.
NOTE: If a threshold is crossed and remains so for a long duration, new alerts
are not generated. Alerts are generated again when the number of logs
matching the alert criteria drops below the threshold and crosses the
threshold again.
Copyright © 2018, Juniper Networks, Inc.
231
Contrail Service Orchestration User Guide
Related
Documentation
•
About the Security Alerts Definitions Page on page 233
•
Creating Security Alert Definitions on page 234
About the Generated Alerts Page
To access this page, click Monitor > Alerts & Alarms > Alerts.
Use this page to view the system event-based alerts in response to a configured alert
definition. The generated alerts help you to identify problems that appear in your
monitored network environment and displays both security and CSO alerts. You can view
statistics such as the number of critical and non-critical alerts.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Select the generated alert and then right-click or click More > Jump to Events and Logs.
The corresponding events that triggered the alert are displayed.
•
Select the generated alert and then right-click or click More > Detail View.
•
Select the generated alert and then right-click or click More > Clear All Selections.
Field Descriptions
Table 136 on page 232 provides guidelines on using the fields on the Generated Alerts
page.
Table 136: Fields on the Generated Alerts Page
Field
Description
Time
View the date and time when the alert was generated.
Alert Name
View the name of the alert.
Alert Description
View the description of the alert.
Source
View the source address of the alert.
Alert Type
View the type of alert.
Severity
View the severity of the alert.
Site
View the tenant site.
Object Type
View the object type.
Alert ID
View the alert ID.
232
Copyright © 2018, Juniper Networks, Inc.
Chapter 26: Monitoring Security Alerts and Alarms
Related
Documentation
•
About the Security Alerts Definitions Page on page 233
About the Security Alerts Definitions Page
To access this page, click Monitor > Alerts & Alarms > Security Alert Definitions.
Use this page to generate alerts that warn you of problems in your monitored environment.
An alert definition consists of data criteria for triggering an alert. An alert is triggered when
the event threshold exceeds the data criteria that is defined.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create security alert definition. See “Creating Security Alert Definitions” on page 234.
•
Edit and delete security alert definition. See “Editing and Deleting Security Alert
Definitions” on page 235.
•
Clone security alert definition. See “Cloning Security Alert Definitions” on page 236.
Field Descriptions
Table 137 on page 233 provides guidelines on using the fields on the Security Alert
Definitions page.
Table 137: Fields on the Security Alert Definitions Page
Field
Description
Alert Name
View the name of the alert.
Alert Description
View the description for the alert.
Filter
View filter values of the alert.
Recipients
View recipients’ e-mail addresses where alert notifications are sent.
Active
View the status of the alert.
Alert Type
View the type of alert.
Example: Event-based
Related
Documentation
•
Security Alerts Overview on page 231
•
Creating Security Alert Definitions on page 234
Copyright © 2018, Juniper Networks, Inc.
233
Contrail Service Orchestration User Guide
Creating Security Alert Definitions
You can create an alert definition to monitor your data in real time. You can identify issues
and attacks before they impact your network.
For example, if you are an administrator, you can define a condition such that if the
number of firewall deny events crosses a predefined threshold in a given time frame for
a specific device, you receive an e-mail alert.
To create a security alert definition:
1.
Select Monitor > Alerts & Alarms > Security Alert Definitions .
The Security Alert Definitions page appears.
2. Click the create icon (+) or add icon (+).
The Create an Alert Definition page appears.
3. Complete the configuration according to the guidelines provided in
Table 138 on page 234.
4. Click OK. If you want to discard the changes, click Cancel instead.
A new alert definition with the configured alert triggering condition is created. You can
view the generated alerts from the alert definition to troubleshoot the issues with your
system.
Table 138: Fields on the Security Alert Definitions Page
Field
Description
General
Alert Name
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores.
No spaces are allowed and the maximum length is 63 characters.
Alert Description
Enter a description for the alerts; maximum length is 1024 characters.
Alert Type
Displays the type of alert that is system-based.
Status
Select the Active check box to view only the active alerts.
Severity
Select the severity level of the alert: info, minor, major, critical.
Trigger
234
Copyright © 2018, Juniper Networks, Inc.
Chapter 26: Monitoring Security Alerts and Alarms
Table 138: Fields on the Security Alert Definitions Page (continued)
Field
Description
Use Data Criteria from Filters
Specifies the data criteria from the list of default and user-created filters that are saved
from the Event Viewer.
To add saved filters:
Add Data Criteria
•
Click the Use data criteria from filters link. The Add Saved Filters page appears.
•
Select the filters to be added.
•
Click OK.
Specifies the data criteria based on the Time Span period, Group By, and Filter By option.
Filtered data only displays the subset of data that meets the criteria that you specify.
Recipient(s)
E-mail Address(es)
Specify the e-mail addresses for the recipients of the alert notification.
Custom Message
Enter a custom string for identifying the type of alert in the alert notification e-mail.
Related
Documentation
•
About the Security Alerts Definitions Page on page 233
•
Editing and Deleting Security Alert Definitions on page 235
Editing and Deleting Security Alert Definitions
You can edit and delete security alert definitions.
•
Editing Security Alert Definitions on page 235
•
Deleting Security Alert Definitions on page 236
Editing Security Alert Definitions
To edit the security alert definition:
1.
Select Monitor > Alerts & Alarms > Security Alert Definitions.
The Security Alerts Definition page appears.
2. Select the check box of the security alert definition that you want to modify, and click
the edit icon.
The Edit Alert Definition page appears. The options available on the Create Alert
Definition page are available for editing.
3. Update the configuration as needed.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
Copyright © 2018, Juniper Networks, Inc.
235
Contrail Service Orchestration User Guide
Deleting Security Alert Definitions
You can click the delete icon (X) to delete one or more alert definitions.
To delete the alert definition:
1.
Select Monitor > Alerts & Alarms > Security Alerts.
The Security Alerts Definition page appears.
2. Select the alert definition that you want to delete and click the delete icon (X icon).
The Confirm Delete page appears.
3. Click Yes to delete the alert definition or No to cancel the deletion.
If you click Yes, then the alert definition is deleted from the main page.
Related
Documentation
•
About the Security Alerts Definitions Page on page 233
•
Creating Security Alert Definitions on page 234
Cloning Security Alert Definitions
You can clone an alert definition when you want to quickly create a copy of an alert
definition and modify its parameters including the name of the alert.
To clone an alert definition:
1.
Select Monitor > Alerts & Alarms > Security Alert Definition.
The Security Alert Definitions page appears.
2. Select the alert definition that you want to clone, and click More > Clone at the top
right corner of the page.
The Clone Alert Definition page appears.
3. Click OK to save the configuration.
A new alert definition is created.
Related
Documentation
236
•
About the Security Alerts Definitions Page on page 233
•
Creating Security Alert Definitions on page 234
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 27
Monitoring Security and Device Events
•
About the All Security Events Page on page 237
•
About the Firewall Events Page on page 241
•
About the Web Filtering Events Page on page 244
•
About the IPsec VPNs Events Page on page 246
•
About the Content Filtering Events Page on page 248
•
About the Antispam Events Page on page 250
•
About the Antivirus Events Page on page 252
•
About the IPS Events Page on page 254
•
About the Device Events Page on page 257
About the All Security Events Page
To access this page, click Monitoring > Security Events > All Events.
Use this page to get an overall, high level view of your network environment. You can
view abnormal events, attacks, viruses, or worms when log data is correlated and analyzed.
This page provides administrators with an advanced filtering mechanism and provides
visibility into actual events collected by the Log Collector. Using the time-range slider,
you can instantly focus on areas of unusual activity by dragging the time slider to the
area of interest to you. The slider and the Custom button under Time Range remain at
the top of each tab. Users select the time range, and then they can decide how to view
the data, using the summary view or detail view tabs.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View a brief summary of all events in your network. See “Summary View” on page 238.
•
View the comprehensive details of events in a tabular format that includes sortable
columns. See “Detail View” on page 238.
Copyright © 2018, Juniper Networks, Inc.
237
Contrail Service Orchestration User Guide
Summary View
You can view a brief summary of all the events in your network. At the center of the page
is critical information, including total number of events, viruses found, total number of
interfaces that are down, number of attacks, CPU spikes, and system reboots. This data
is refreshed automatically based on the selected time range. At the bottom of the page
is a swim lane view of different events that are happening at a specific time. The events
include firewall, web filtering, VPN, content filtering, antispam, antivirus, and IPS. Each
event is color coded, with darker shades representing a higher level of activity. Each tab
provides deep information like type, and number of events occurring at that specific time.
Table 139 on page 238 describes the widgets on the All Events Summary View page.
Table 139: Widgets on the All Events Summary View Page
Field
Description
Total Events
View the total number of all the events that includes firewall, web filtering, IPS, IPSec
VPNs, content filtering, antispam, and antivirus events.
Virus Instances
View the total number of virtual instances running in the system.
Attacks
View the total number of attacks on the firewall.
Interface Down
View the total number of interfaces that are down.
CPU Spikes
View the total number of times a CPU utilization spike has occurred.
Reboots
View the total number of system reboots.
Sessions
View the total number of sessions established through firewall.
Detail View
Click Detail View for comprehensive details of events in a tabular format that includes
sortable columns. You can sort the events using the Group By option. For example, you
can sort the events based on severity. The table includes information such as the rule
that caused the event, severity for the event, event ID, traffic information, and how and
when the event was detected.
Advanced Search
You can perform advanced search of all events using the text field present above the
tabular column. It includes the logical operators as part of the filter string. Enter the
search string in the text field and based on your input, a list of items from the filter context
menu is displayed. . You can select a value from the list and then select a valid logical
operator to perform the advanced search operationPress Enter to display the search
result in the tabular column below.
To delete the search string in the text field, click the delete icon (X icon).
238
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
Examples of event log filters are shown in the following list:
•
Specific events originating from or landing within United States
Source Country = United States OR Destination Country = United States AND Event
Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS,
IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT,
IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT,
AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT,
ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL,
FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL,
FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL,
FWAUTH_TELNET_USER_AUTH_FAIL_LS,
FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS
•
User wants to filter all RT flow sessions originating from IP addresses in specific
countries and landing on IPs in specific countries
Event Name = RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE AND Source
IP = 177.1.1.1,220.194.0.150,14.1.1.2,196.194.56.4 AND Destination IP =
255.255.255.255,10.207.99.75,10.207.99.72,223.165.27.13 AND Source Country = Brazil,
United States, China, Russia, Algeria AND Destination Country = Germany, India, United
States
•
Traffic between zone pairs for policy – IDP2
Source Zone = trust AND Destination Zone = untrust, internal AND Policy Name = IDP2
•
UTM logs coming from specific source country, destination country, source IP addresses
with or without specific destination IP addresses.
Event Category = antispam, antivirus, contentfilter, webfilter AND Source Country =
Australia AND Destination Country = Turkey, United States, Australia AND Source IP
= 1.0.0.0,1.1.1.3 OR Destination IP = 74.125.224.47,5.56.17.61
•
Events with specific sources IPs or events hitting HTP, FTP, HTTP, and unknown
applications coming from host DC-SRX1400-1 or VSRX-75.
Application = tftp, ftp, http, unknown OR Source IP = 192.168.34.10,192.168.1.26 AND
Hostname = dc-srx1400-1,vsrx-75
Table 140 on page 239 describes the fields on the All Events Detail View Page.
Table 140: Fields on the All Events Detail View Page
Field
Description
Time
View the time when the log was received.
Event Name
View the event name of the log.
Site
View the name of the tenant site.
Source Country
View the source country name.
Copyright © 2018, Juniper Networks, Inc.
239
Contrail Service Orchestration User Guide
Table 140: Fields on the All Events Detail View Page (continued)
Field
Description
Source IP
View the source IP address from where the event occurred.
Destination Country
View the destination country name from where the event occurred.
Destination IP
View the destination IP address of the event.
Source Port
View the source port of the event.
Destination Port
View the destination port of the event.
Description
View the description of the log.
Attack Name
View the attack name of the log: Trojan, worm, virus, and so on.
Threat Severity
View the severity level of the threat.
Policy Name
View the policy name in the log.
UTM Category or Virus Name
View the UTM category of the log.
URL
View the accessed URL name that triggered the event.
Event Category
View the event category of the log.
User Name
View the username of the log.
Action
View the action taken for the event: warning, allow, and block.
Log Source
View the IP address of the log source.
Application
View the application name from which the events or logs are generated
Hostname
View the hostname in the log.
Service Name
The name of the application service. For example, FTP, HTTP, SSH, and so on.
Nested Application
View the nested application in the log.
Source Zone
View the source zone of the log.
Destination Zone
View the destination zone of the log.
Protocol ID
View the protocol ID in the log.
Roles
View the role name associated with the log.
240
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
Table 140: Fields on the All Events Detail View Page (continued)
Field
Description
Reason
View the reason for the log generation. For example, a connection tear down may
have an associated reason such as “authentication failed”.
NAT Source Port
View the translated source port.
NAT Destination Port
View the translated destination port.
NAT Source Rule Name
View the NAT source rule name.
NAT Destination Rule Name
View the NAT destination rule name.
NAT Source IP
View the translated (or natted) source IP address. It can contain IPv4 or IPv6
addresses.
NAT Destination IP
View the translated (also called natted) destination IP address.
Traffic Session ID
View the traffic session ID of the log.
Path Name
View the path name of the log.
Logical system Name
View the name of the logical system.
Rule Name
View the name of the rule.
Profile Name
View the name of the All events profile that triggered the event.
Related
Documentation
•
About the Firewall Events Page on page 241
•
About the Web Filtering Events Page on page 244
•
About the IPsec VPNs Events Page on page 246
•
About the Content Filtering Events Page on page 248
•
About the Antispam Events Page on page 250
•
About the Antivirus Events Page on page 252
•
About the IPS Events Page on page 254
About the Firewall Events Page
To access this page, click Monitor > Security Events > Firewall.
Use the Firewall Events page to view information about security events based on firewall
policies. Analyzing firewall logs yields useful security management information, such as
attempts to breach your network and observing the inherent characteristics of your traffic
in real-time. Using the time-range slider, you can quickly focus on the area of activity that
Copyright © 2018, Juniper Networks, Inc.
241
Contrail Service Orchestration User Guide
you are most interested in. Once the time range is selected, all of the data presented in
your view is refreshed automatically. You can also use the Custom button to set a custom
time range.
There are two ways to view your data. You can select either the Summary View tab or
the Detail View tab.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View a brief summary of all the firewall events in your network. See “Summary View”
on page 242
•
View the comprehensive details of events in a tabular format that includes sortable
columns. See“Detail View” on page 242.
Summary View
The data presented in the line graph (also known as swim lanes) is refreshed
automatically based on the selected time range. The line graph shows light blue lanes
that represent all firewall events and dark blue lanes represent blocked firewall events.
Below the swim lanes are widgets displaying critical information such as top sources,
top destinations, top users, and top reporting devices.
Table 141 on page 242 describes the widgets on the Summary View page.
Table 141: Widgets on the Summary View Page
Widget
Description
Top Sources
View the top source IP addresses of the network traffic; sorted by event count.
Top Destinations
View the top destination IP addresses of the network traffic; sorted by event count.
Top Users
View then top users of the network traffic; sorted by event count.
Top Reporting Devices
View the top reporting devices in the network; sorted by event count.
Detail View
Detail view includes information such as the rule that caused the event, severity for the
event, event ID, traffic information, and how and when the event was detected
Table 142 on page 242 provides guidelines on using the fields on the Detail View page.
Table 142: Fields on the Detail View Page
Field
Description
Time
View the time when the log was received.
242
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
Table 142: Fields on the Detail View Page (continued)
Field
Description
Event Name
View the event name of the log.
Source Country
View the source country name from where the event originated.
Source IP
View the source IP address from where the event occurred.
Destination Country
View the destination country name from where the event occurred.
Destination IP
View the destination IP address of the event.
Source Port
View the source port of the event.
Destination Port
View the destination port of the event.
Description
View the description of the log.
Policy Name
View the policy name in the log.
User Name
View the username of the log.
Action
View the action taken for the event: warning, allow, and block.
Log Source
View the IP address of the log source (IPv4 or IPv6).
Application
View the application name from which the events or logs are generated.
Hostname
View the hostname in the log.
Service Name
The name of the application service. For example, FTP, HTTP, SSH, and so on.
Nested Application
View the nested application in the log.
Source Zone
View the user traffic received from the zone.
Destination Zone
View the destination zone of the log.
Protocol ID
View the protocol ID in the log.
Roles
View the role names associated with the event.
NAT Source Port
View the translated source port.
NAT Destination Port
View the translated destination port.
NAT Source Rule Name
View the NAT source rule name.
NAT Destination Rule Name
View the NAT destination rule name.
Copyright © 2018, Juniper Networks, Inc.
243
Contrail Service Orchestration User Guide
Table 142: Fields on the Detail View Page (continued)
Field
Description
NAT Source IP
View the translated (or natted) source IP address. It can contain IPv4 or IPv6
addresses.
NAT Destination IP
View the translated (also called natted) destination IP address.
Traffic Session ID
View the traffic session ID of the log.
Rule Name
View the rule name of the log.
Related
Documentation
•
About the All Security Events Page on page 237
•
About the Web Filtering Events Page on page 244
•
About the IPsec VPNs Events Page on page 246
•
About the Content Filtering Events Page on page 248
•
About the Antispam Events Page on page 250
•
About the Antivirus Events Page on page 252
•
About the IPS Events Page on page 254
About the Web Filtering Events Page
To access this page, click Monitor > Security Events > Web Filtering.
Use the Web Filtering page to view information about security events based on Web
filtering policies. Web filtering allows you to permit or block access to specific websites
by URL or by URL category using cloud-based lookups, a local database, or an external
Websense server. Analyzing Web filtering logs yields useful security management
information such as users detected accessing restricted URLs and actions taken by the
system. Using the time-range slider, you can quickly focus on the area of activity that you
are most interested in. Once the time range is selected, all of the data presented in your
view is refreshed automatically. You can also use the Custom button to set a custom
time range.
There are two ways to view your data. You can select either the Summary View tab or
the Detail View tab.
Tasks You Can Perform
You can perform the following tasks from this page:
244
•
View a brief summary of all the Web filtering events in your network. See “Summary
View” on page 245.
•
View the comprehensive details of events in a tabular format that includes sortable
columns. See “Detail View” on page 245.
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
Summary View
The top of the page has a swim lane graph of all the Web filtering events against the
blocked events.
Below the swim lanes are widgets displaying critical information such as top sources,
top destinations, top users, and top reporting devices.
You can use the widgets at the bottom of the page to view critical information such as
top URLs blocked, top matched profiles, top sources, and top destinations.
Table 143 on page 245 describes the widgets on the Summary View page.
Table 143: Widgets on the Summary View Page
Widget
Description
Top URLs blocked
View the URL names that are blocked; sorted by event count.
Top Matched Profiles
View the web filtering profile names; sorted by event count.
Top Sources
View the top source IP addresses of the network traffic; sorted by event count.
Top Destinations
View the top destination IP addresses of the network traffic; sorted by event count.
Detail View
You can aggregate the events using the Group By option. For example, you can group
the events based on source country. The table includes information such as the event
name, UTM category, source IP address, source country, and so on.
Table 144 on page 245 provides guidelines on using the fields on the Detail View page.
Table 144: Fields on the Detail View Page
Fields
Description
Time
View the time when the event occurred.
Event Name
View the event name of the log.
Source Country
View the source country name from where the event originated.
Source IP
View the source IP address from where the event occurred (IPv4 or IPv6).
Destination Country
View the destination country name from where the event occurred.
Destination IP
View the destination IP address of the event (IPv4 or IPv6).
Source Port
View the source port of the event.
Destination Port
View the destination port of the event.
Copyright © 2018, Juniper Networks, Inc.
245
Contrail Service Orchestration User Guide
Table 144: Fields on the Detail View Page (continued)
Fields
Description
Description
View the description of the log.
UTM category or Virus Name
View the UTM category of the log: enhanced, local, and redirect.
URL
View the accessed URL name that triggered the event.
Action
View the action taken for the event: warning, allow, and block.
Log Source
View the IP address of the log source (IPv4 or IPv6).
Host Name
View the hostname in the log.
Source Zone
View the user traffic received from the zone.
Roles
View the role names associated with the event.
Reason
View the reason for the log generation. For example, unrestricted access.
Path Name
View the path name of the log.
Profile Name
View the name of the Web filtering profile that triggered the event.
Related
Documentation
•
About the All Security Events Page on page 237
•
About the Firewall Events Page on page 241
•
About the IPsec VPNs Events Page on page 246
•
About the Content Filtering Events Page on page 248
•
About the Antispam Events Page on page 250
•
About the Antivirus Events Page on page 252
•
About the IPS Events Page on page 254
About the IPsec VPNs Events Page
To access this page, click Monitor > Security Events > IPsec VPNs.
Use this page to view information about security events based on IPSec VPN policies.
The event viewer provides a view of all IPsec VPN events.
Using the time-range slider, you can quickly focus on the area of activity that you are
most interested in. Once the time range is selected, all of the data presented in your view
is refreshed automatically. You can also use the custom button to set a custom time
range.
246
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
There are two ways to view your data. You can select either the Summary View tab or
the Detail View tab.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View a brief summary of all the IPsec VPN events in your network. See “Summary View”
on page 247.
•
View the comprehensive details of events in a tabular format that includes sortable
columns. See “Detail View” on page 247.
Summary View
The top of the page has a swim lane graph of all the VPN events. You can use the widgets
at the bottom of the page to view critical information such as top sources, top destinations,
and top reporting devices.
Table 145 on page 247 describes the widgets on the Summary View page.
Table 145: Widgets on the Summary View Page
Widget
Description
Top Sources
View the top source IP addresses of the network traffic; sorted by event count.
Top Destinations
View the top destination IP addresses of the network traffic; sorted by event count.
Top Reporting Devices
View the top reporting device IP addresses; sorted by event count.
Detail View
You can aggregate the events using the Group By option. For example, you can group
the events based on source country. The table includes information such as the event
name, log source, host name, source country, and so on.
Table 146 on page 247 provides guidelines on using the fields on the Detail View page.
Table 146: Fields on the Detail View Page
Fields
Description
Time
View the time when the event occurred.
Event Name
View the event name of the log.
Source Country
View the source country name from where the event originated.
Destination Country
View the destination country name from where the event occurred.
Destination Port
View the destination port of the event.
Copyright © 2018, Juniper Networks, Inc.
247
Contrail Service Orchestration User Guide
Table 146: Fields on the Detail View Page (continued)
Fields
Description
Description
View the description of the log.
Log Source
View the IP address of the log source (IPv4 or IPv6).
Host Name
View the hostname in the log.
Rule Name
View the name of the antivirus profile that triggered the event.
Related
Documentation
•
About the All Security Events Page on page 237
•
About the Firewall Events Page on page 241
•
About the Web Filtering Events Page on page 244
•
About the Content Filtering Events Page on page 248
•
About the Antispam Events Page on page 250
•
About the Antivirus Events Page on page 252
•
About the IPS Events Page on page 254
About the Content Filtering Events Page
To access this page, click Monitor > Security Events > Content Filtering.
Use this page to view information about security events based on content filtering policies.
The event viewer provides a view of all content filtering events and how the events are
handled by content filter. This page can be used to view traffic on the network in real
time or as a debugging tool to view how content filtering is operating.
Content filtering provides basic data loss prevention functionality. Content filtering
screens traffic based on MIME type, file extension, protocol commands, and embedded
object type. It either permits or blocks specific commands or extensions on a
protocol-by-protocol basis.
Using the time-range slider, you can quickly focus on the area of activity that you are
most interested in. Once the time range is selected, all of the data presented in your view
is refreshed automatically. You can also use the Custom button to set a custom time
range.
There are two ways to view your data. You can select either the Summary View tab or
the Detail View tab.
248
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
Tasks You Can Perform
You can perform the following tasks from this page:
•
View a brief summary of all the content filtering events in your network. See “Summary
View” on page 249.
•
View the comprehensive details of events in a tabular format that includes sortable
columns. See “Detail View” on page 249.
Summary View
The top of the page has a swim lane graph of all the content filtering events against the
blocked events. You can use the widgets at the bottom of the page to view critical
information such as top blocked protocol commands, top reasons, and top sources.
Table 147 on page 249 describes the widgets on the Summary View page.
Table 147: Widgets on the Summary View Page
Widget
Description
Top Blocked Protocol commands
View the top command names or file extensions blocked on a protocol-by-protocol
basis.
Top Reasons
View the top reasons for blocking the content. For example: Inappropriate or harmful
communication.
Top Sources
View the top source IP addresses of the network traffic; sorted by event count.
Detail View
You can aggregate the events using the Group By option. For example, you can group
the events based on source country. The table includes information such as the event
name, UTM category, source IP address, source country, and so on.
Table 148 on page 249 provides guidelines on using the fields on the Detail View page.
Table 148: Fields on the Detail View Page
Fields
Description
Time
View the time when the event occurred.
Event Name
View the event name of the log.
Source Country
View the source country name from where the event originated.
Source IP
View the source IP address fromwhere the event occurred (IPv4 or IPv6).
Description
View the description of the log.
Copyright © 2018, Juniper Networks, Inc.
249
Contrail Service Orchestration User Guide
Table 148: Fields on the Detail View Page (continued)
Fields
Description
UTM Category or Virus Name
View the UTM category of the log: enhanced, local, and redirect.
URL
View the accessed URL name that triggered the event.
Argument
View the type of traffic. For example, FTP and HTTP.
Action
View the action taken for the event: warning, allow, and block.
Log Source
View the IP address of the log source (IPv4 or IPv6).
Host Name
View the hostname in the log.
Source Zone
View the user traffic received from the zone.
Roles
View the role names associated with the event.
Reason
View the reason for the log generation. For example, unrestricted access
Profile Name
View the name of the content filtering profile that triggered the event.
Related
Documentation
•
About the All Security Events Page on page 237
•
About the Firewall Events Page on page 241
•
About the Web Filtering Events Page on page 244
•
About the IPsec VPNs Events Page on page 246
•
About the Antispam Events Page on page 250
•
About the Antivirus Events Page on page 252
•
About the IPS Events Page on page 254
About the Antispam Events Page
To access this page, click Monitor > Security Events > Antispam.
Use this page to view information about security events based on antispam policies. The
event viewer provides a view of all antispam events and the action taken by the antispam
scanner.
The antispam scanner inspects and block spam by scanning inbound and outbound
SMTP e-mail traffic. The filtering can be server-based using an external spam block list
server or local-based using local lists (blacklists and whitelists) for matching.
Using the time-range slider, you can quickly focus on the area of activity that you are
most interested in. Once the time range is selected, all of the data presented in your view
250
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
is refreshed automatically. You can also use the Custom button to set a custom time
range.
There are two ways to view your data. You can select either the Summary View tab or
the Detail View tab.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View a brief summary of all the antispam events in your network. See “Summary View”
on page 251.
•
View the comprehensive details of events in a tabular format that includes sortable
columns. See “Detail View” on page 251.
Summary View
The top of the page has a swim lane graph of all antispam events. You can use the widget
at the bottom of the page to view source IP addresses of the network traffic, sorted by
event count.
Detail View
You can aggregate the events using the Group by option. For example, you can group the
events based on source country. The table includes information such as the event name,
UTM category, source IP address, source country, and so on.
Table 149 on page 251 provides guidelines on using the fields on the Detail View page.
Table 149: Fields on the Detail View Page
Fields
Description
Time
View the time when the event occurred.
Event Name
View the event name of the log.
Source Country
View the source country name from where the event originated.
Source IP
View the source IP address fromwhere the event occurred (IPv4 or IPv6).
Description
View the description of the log.
UTM Category or Virus Name
View the UTM category of the log: enhanced, local, and redirect.
URL
View the accessed URL name that triggered the event.
Argument
View the type of traffic. For example, FTP and HTTP.
Action
View the action taken for the event: warning, allow, and block.
Log Source
View the IP address of the log source (IPv4 or IPv6).
Copyright © 2018, Juniper Networks, Inc.
251
Contrail Service Orchestration User Guide
Table 149: Fields on the Detail View Page (continued)
Fields
Description
Host Name
View the hostname in the log.
Source Zone
View the user traffic received from the zone.
Roles
View the role names associated with the event.
Reason
View the reason for the log generation. For example, unrestricted access
Profile Name
View the name of the content filtering profile that triggered the event.
Related
Documentation
•
About the All Security Events Page on page 237
•
About the Firewall Events Page on page 241
•
About the Web Filtering Events Page on page 244
•
About the IPsec VPNs Events Page on page 246
•
About the Content Filtering Events Page on page 248
•
About the Antivirus Events Page on page 252
•
About the IPS Events Page on page 254
About the Antivirus Events Page
To access this page, click Monitor > Security Events > Antivirus.
Use this page to view information about security events based on antivirus policies. The
event viewer provides a view of all antivirus events and the action taken by the virus
scanner.
The antivirus scanner inspects files transmitted over several protocols to determine if
the files exchanged are malicious (for example, viruses, Trojans, rootkits, and worms).
Using the time-range slider, you can quickly focus on the area of activity that you are
most interested in. Once the time range is selected, all of the data presented in your view
is refreshed automatically. You can also use the Custom button to set a custom time
range.
There are two ways to view your data. You can select either the Summary View tab or
the Detail View tab.
Tasks You Can Perform
You can perform the following tasks from this page:
•
252
View a brief summary of all the antivirus events in your network. See “Summary View”
on page 253.
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
•
View the comprehensive details of events in a tabular format that includes sortable
columns. See “Detail View” on page 253.
Summary View
The top of the page has a swim lane graph of all the antivirus events against the blocked
events. You can use the widgets at the bottom of the page to view critical information
such as top blocked protocol commands, top reasons, and top sources.
Table 150 on page 253 provides guidelines on using the widgets on the Detail View page.
Table 150: Widgets on the Summary Page
Field
Description
Top Sources
View the top source IP addresses of the network traffic; sorted by event count.
Top Destinations
View the top destination IP addresses of the network traffic; sorted by event count.
Top Reporting/Attacked Devices
View the top reporting/attacked device IP addresses; sorted by event count.
Top Viruses
View the top virus names detected; sorted by event count.
Top Source Countries
View the top source country names where the events originated; sorted by event
count.
Top Destination Countries
View the top destination country names where the events occurred; sorted by event
count.
Detail View
You can aggregate the events using the Group By option. For example, you can group
the events based on source country. The table includes information such as the event
name, UTM category, source IP address, source country, and so on.
Table 151 on page 253 provides guidelines on using the fields on the Detail View page.
Table 151: Fields on the Detail View Page
Fields
Description
Time
View the time when the event occurred.
Event Name
View the event name of the log.
Source Country
View the source country name from where the event originated.
Source IP
View the source IP address from where the event occurred (IPv4 or IPv6).
Destination Country
View the destination country name from where the event occurred.
Destination IP
View the destination IP address of the event (IPv4 or IPv6).
Copyright © 2018, Juniper Networks, Inc.
253
Contrail Service Orchestration User Guide
Table 151: Fields on the Detail View Page (continued)
Fields
Description
Source Port
View the source port of the event.
Destination Port
View the destination port of the event.
Description
View the description of the log.
UTM Category or Virus Name
View the UTM category of the log: enhanced, local, and redirect.
URL
View the accessed URL name that triggered the event.
Action
View the action taken for the event: warning, allow, and block.
Log Source
View the IP address of the log source (IPv4 or IPv6).
Host Name
View the hostname in the log.
Source Zone
View the user traffic received from the zone.
Roles
View the role names associated with the event.
Reason
View the reason for the log generation. For example, unrestricted access.
Profile Name
View the name of the antivirus profile that triggered the event.
Related
Documentation
•
About the All Security Events Page on page 237
•
About the Firewall Events Page on page 241
•
About the Web Filtering Events Page on page 244
•
About the IPsec VPNs Events Page on page 246
•
About the Content Filtering Events Page on page 248
•
About the Antispam Events Page on page 250
•
About the IPS Events Page on page 254
About the IPS Events Page
To access this page, click Monitor > Security Events > IPS.
Use the IPS Events page to view information about security events based on IPS policies.
Analyzing IPS logs yields useful security management information, such as abnormal
events, attacks, viruses, or worms.
Using the time-range slider, you can quickly focus on the area of activity that you are
most interested in. Once the time range is selected, all of the data presented in your view
254
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
is refreshed automatically. You can also use the custom button to set a custom time
range.
There are two ways to view your data. You can select either the Summary View tab or
the Detail View tab.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View a brief summary of all the all the IPS events in your network. See “Summary View”
on page 255.
•
View the comprehensive details of events in a tabular format that includes sortable
columns. See “Detail View” on page 255.
Summary View
The data presented in the area graph is refreshed automatically based on the selected
time range. You can use widgets to view critical information such as IPS severities, top
sources, top destinations, top reporting devices, top IPS attacks, top source countries,
and top destination countries.
Table 152 on page 255 provides guidelines on using the widgets on the Detail View page.
Table 152: Widgets on the Summary Page
Field
Description
IPS Severities
View the top IPS severities of the events based on the severity level: high, medium, low.
Top Sources
View the top source IP addresses of the network traffic; sorted by the number of event
occurrences.
Top Destinations
View the top destination IP addresses of the network traffic; sorted by the number of
event occurrences.
Top Reporting/Attacked Devices
View the top devices that are attacked by IPS events; sorted by the number of times
users are active on the network.
Top IPS attacks
View the top IPS attacks in the network traffic; sorted by the times devices are attacked.
Top Source Countries
View the top source countries from where the event source originated; sorted by the
number of IP addresses.
Top Destination Countries
View the top source countries from where the event source originated; sorted by the
number of IP addresses.
Detail View
You can sort the events using the Group By option. For example, you can sort the events
based on severity. The table includes information such as the rule that caused the event,
Copyright © 2018, Juniper Networks, Inc.
255
Contrail Service Orchestration User Guide
severity for the event, event ID, traffic information, and how and when the event was
detected.
Table 153 on page 256 provides guidelines on using the fields on the Detail View page.
Table 153: Fields on the Detail View Page
Column
Description
Time
View the time when the log was received.
Event Name
View the event name of the log.
Source Country
View the source country name from where the event originated.
Source IP
View the source IP address from where the event occurred.
Destination Country
View the destination country name from where the event occurred.
Destination IP
View the destination IP address of the event.
Source Port
View the source port of the event.
Destination Port
View the destination port of the event.
Description
View the description of the log.
Attack name
View the attack name of the log: Trojan, worm, virus, and so on.
Threat Severity
View the the threat severity of the event.
Policy Name
View the policy name in the log.
Action
View the action taken for the event: warning, allow, and block.
Log Source
View the IP address of the log source.
Application
View the application name from which the events or logs are generated.
Hostname
View the host name in the log.
Service Name
View the name of the application service. For example, FTP, HTTP, SSH, and so
on.
Nested Application
View the nested application name in the log.
Source Zone
View the source zone of the log.
Destination Zone
View the destination zone of the log.
Protocol ID
View the protocol ID in the log.
256
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
Table 153: Fields on the Detail View Page (continued)
Column
Description
NAT Source Port
View the translated source port.
NAT Destination Port
View the translated destination port
NAT Source IP
View the NAT source IP address of the log.
NAT Destination IP
View the NAT destination IP address of the log.
Rule Name
View the name of the rule.
Related
Documentation
•
About the All Security Events Page on page 237
•
About the Firewall Events Page on page 241
•
About the Web Filtering Events Page on page 244
•
About the IPsec VPNs Events Page on page 246
•
About the Content Filtering Events Page on page 248
•
About the Antispam Events Page on page 250
•
About the Antivirus Events Page on page 252
About the Device Events Page
To access this page, click Monitor > Device Events.
Use the Device Events page to view information about device events such as routine
operations, failure and error conditions, and emergency or critical conditions.
You can view comprehensive details of device events in a tabular format that includes
sortable columns and a line graph (also known as swim lanes). The data presented in
the line graph is refreshed automatically based on the selected time range. The line graph
shows light blue areas that represent all device events and dark blue areas represent
blocked device events
Tasks You Can Perform
You can perform the following tasks from this page:
•
Click Custom button to select the date and time range to generate the device event.
•
Show or hide time range in the carousel by clicking show or hide buttons at the top of
the page.
Copyright © 2018, Juniper Networks, Inc.
257
Contrail Service Orchestration User Guide
Advanced Search
You can perform advanced search of all events using the text field present above the
tabular column. It includes the logical operators as part of the filter string. Enter the
search string in the text field and based on your input, a list of items from the filter context
menu is displayed. . You can select a value from the list and then select a valid logical
operator to perform the advanced search operationPress Enter to display the search
result in the tabular column below.
To delete the search string in the text field, click the delete icon (X icon)..
Examples of event log filters are shown in the following list:
•
Specific events originating from or landing within United States
Source Country = United States OR Destination Country = United States AND Event
Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS,
IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT,
IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT,
AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT,
ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL,
FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL,
FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL,
FWAUTH_TELNET_USER_AUTH_FAIL_LS,
FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS
•
User wants to filter all RT flow sessions originating from IPs in specific countries and
landing on IPs in specific countries
Event Name = RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE AND Source
IP = 177.1.1.1,220.194.0.150,14.1.1.2,196.194.56.4 AND Destination IP =
255.255.255.255,10.207.99.75,10.207.99.72,223.165.27.13 AND Source Country =
Brazil,United States,China,Russia,Algeria AND Destination Country =
Germany,India,United States
•
Traffic between zone pairs for policy – IDP2
Source Zone = trust AND Destination Zone = untrust, internal AND Policy Name = IDP2
•
UTM logs coming from specific source country, destination country, source IPs with or
without specific destination IPs
Event Category = antispam, antivirus, contentfilter, webfilter AND Source Country =
Australia AND Destination Country = Turkey, United States, Australia AND Source IP
= 1.0.0.0,1.1.1.3 OR Destination IP = 74.125.224.47,5.56.17.61
•
Events with specific sources IPs or events hitting HTP, FTP, HTTP, and unknown
applications coming from host DC-SRX1400-1 or VSRX-75.
Application = tftp, ftp, http, unknown OR Source IP = 192.168.34.10,192.168.1.26 AND
Hostname = dc-srx1400-1,vsrx-75
258
Copyright © 2018, Juniper Networks, Inc.
Chapter 27: Monitoring Security and Device Events
Field Descriptions
Table 18 on page 34 provides guidelines on using the fields on the Device Events page.
Table 154: Fields on the Device Events Detailed View Page
Field
Description
Time
View the time when the log was received.
Event Name
View the event name of the log.
Site
View the name of the tenant site.
Source Country
View the name of source country from where the event originated.
Source IP
View the source IP address from where the event occurred.
Destination Country
View the name of destination country from where the event occurred.
Destination IP
View the destination IP address of the event.
Source Port
View the source port of the device event.
Destination Port
View the destination port of the device event.
Description
View the description of the log.
Attack Name
View the attack name of the log. For example, Trojan, worm, virus, and so on.
Threat Severity
View the severity level of the threat.
Policy Name
View the policy name in the log.
UTM Category or Virus Name
View the UTM category of the log.
URL
View the accessed URL name that triggered the event.
Event Category
View the event category of the log.
User Name
View the username of the log.
Argument
View the type of traffic. For example, ftp and http.
Action
View the action taken for the event. For example, warning, allow, or block.
Log Source
View the IP address of the log source.
Application
View the application name from which the events or logs are generated.
Hostname
View the hostname in the log.
Copyright © 2018, Juniper Networks, Inc.
259
Contrail Service Orchestration User Guide
Table 154: Fields on the Device Events Detailed View Page (continued)
Field
Description
Service Name
View the name of the application service. For example, FTP, HTTP, SSH, and so
on.
Nested Application
View the nested application in the log.
Source Zone
View the source zone of the log.
Destination Zone
View the destination zone of the log.
Protocol ID
View the protocol ID in the log.
Roles
View the role name associated with the log.
Reason
View the reason for the log generation. For example, a connection tear down may
have an associated reason such as authentication failed.
NAT Source Port
View the translated source port.
NAT Destination Port
View the translated destination port.
NAT Source Rule Name
View the NAT source rule name.
NAT Destination Rule Name
View the NAT destination rule name.
NAT Source IP
View the translated (or natted) source IP address. It can contain IPv4 or IPv6
addresses.
NAT Destination IP
View the translated (also called natted) destination IP address.
Traffic Session ID
View the traffic session ID of the log.
Path Name
View the path name of the log.
Logical System Name
View the name of the logical system.
Rule Name
View the name of the rule.
Profile Name
The name of the profile that triggered the event.
Event Count
View the number of events occurred.
Tenant
View the name of the tenant from which the event originated.
Related
Documentation
260
•
About the All Security Events Page on page 237
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 28
Monitoring SD-WAN Events
•
SD-WAN Events Overview on page 261
•
About the SD-WAN Events Page on page 262
SD-WAN Events Overview
Service-level agreements (SLAs) define the expected class of service (CoS) for all
applications and application groups in a site. The network operator needs tools to measure
and monitor the performance metrics for all applications to determine the quality of the
network and adherence to an assured CoS. To ensure compliance with SLAs, the network
operator also needs tools to take remedial action when network performance deteriorates
and SLAs are not being met. SD-WAN link-switch events enable the network to switch
WAN links to meet the site’s SLA requirements when the network-designated WAN link
is unable to meet the site’s SLA requirements.
Because SLA parameters override the path preference, in dynamic SD-WAN policies, the
SD-WAN network chooses the best possible WAN link for traffic management. The WAN
link is chosen is based on the SLA parameters defined in the SLA profile. If multiple links
match the SLA profile, the least loaded link is chosen. When a policy intent is deployed
on a site, if the WAN link chosen by the SD-WAN network is unable to meet the SLA
requirements in runtime, then the site switches WAN links to meet the SLA requirements.
This link switching is called an SD-WAN event. Link switching also takes into account
the priority defined in the SLA profile and SLA profiles with higher priority are given
precedence while finding alternate WAN links. The ability of a site to switch WAN links
ensures that SLA requirements are met and instances of not meeting the SLA
requirements are minimized.
In static policies, link switching cannot occur even if the designated WAN link is unable
to meet the SLA requirements, because path preference is defined.
Related
Documentation
•
About the SD-WAN Events Page on page 262
•
SLA Profiles and SD-WAN Policies Overview on page 329
Copyright © 2018, Juniper Networks, Inc.
261
Contrail Service Orchestration User Guide
About the SD-WAN Events Page
To access this page, click Monitor > SD-WAN Events in the Customer Portal.
You can use the SD-WAN Events page to view information about SD-WAN events. An
SD-WAN event is triggered when the SLA requirements for a site are not met on its
network-designated WAN link and the site switches WAN links to meet the SLA
requirements.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about all SD-WAN events.
•
View details about SD-WAN events in a customized time range.
•
Show or hide columns that contain information about SD-WAN events. See “Sorting
Objects” on page 15.
•
Search for SD-WAN events using keywords. Click the search icon. Enter partial text or
full text of the keyword in the search bar and press Enter. The search results are
displayed.
Field Descriptions
Table 155 on page 262 describes the fields on the SD-WAN Events page.
Table 155: Fields on the SD-WAN Events Page
Field
Description
Time Range
View a graphical representation of SD-WAN events against a defined time range. The x-axis represents
the defined time and the y-axis represents SD-WAN events.
Use the slider to decrease or increase the time range within which you want to view SD-WAN events.
You can also choose from pre-defined time ranges such as 2h, 4h, 8h, 16h, 24h, or Custom. For custom
time, you must enter from and to dates in MM/DD/YYYY format and the time in HH:MM:SS format.
By default, Previous 1 day is selected.
Time
View the time at which the links were switched.
Site
View the site that switched links.
SLA Profile
View the SLA profile associated with the site.
Source
View the designated WAN link.
Destination
View the new WAN link to which the site switched.
Duration
View the time duration for which the SLA requirement for a site was not met before the site switched
WAN links. A time duration of 0 indicates that the site switched WAN links before it failed to meet the
SLA requirements, and the SLA requirements were met immediately on the new WAN link with no
loss in meeting SLA requirements.
262
Copyright © 2018, Juniper Networks, Inc.
Chapter 28: Monitoring SD-WAN Events
Related
Documentation
•
SD-WAN Events Overview on page 261
Copyright © 2018, Juniper Networks, Inc.
263
Contrail Service Orchestration User Guide
264
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 29
Monitoring Applications
•
About the SLA Performance of a Single Tenant Page on page 265
•
Viewing the SLA Performance of a Site on page 267
•
Viewing the SLA Performance of an Application or Application Group on page 272
•
Application Visibility Overview on page 273
•
About the Application Visibility Page on page 273
•
Selecting Devices on page 276
About the SLA Performance of a Single Tenant Page
To access this page, select Monitor > Applications > Tenant-Name SLA Performance in
the Customer Portal.
You can use the Tenant-Name SLA Performance page to view performance reports for
all sites in a tenant. You can view the SLA performance of all sites that have met and all
sites that have not met the defined SLA target values for the specified time range. You
can customize your view and also the time range for which you want to view the SLA
performance.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View the SLA performance for all sites in the tenant that have met the defined SLA
target values, without switching WAN links, for the specified time range.
•
View the SLA performance for all sites in the tenant that have met the defined SLA
target values, after switching WAN links, for the specified time range.
•
View the SLA performance for all sites in a tenant that have not met the defined SLA
target values for the specified time range.
•
View the SLA performance for all sites in a tenant in grid or card views.
Select card view or grid view at the top right of the page. By default, card view is
selected.
•
Customize the time range to view the SLA performance for all sites in a tenant.
Copyright © 2018, Juniper Networks, Inc.
265
Contrail Service Orchestration User Guide
Select the time range for which you want to view SLA performance. You can choose
from Previous 1 hour, Previous 1 day, Previous 1 week, Previous 1 month, and Custom.
For custom time, you must enter from and to dates in MM/DD/YYYY format and the
time in HH:MM:SS format. By default, Previous 1 day is selected.
Field Descriptions
Table 156 on page 266 describes the fields on the Tenant-Name SLA Performance page.
Table 156: Fields on the SLA Performance of a Single Tenant Page
Field
Description
Time range
Select the time range for which you want to view the SLA performance.
You can choose from Previous 1 hour, Previous 1 day, Previous 1 week,
Previous 1 month, and Custom. For custom time, you must enter from and
to dates in MM/DD/YYYY format and the time in HH:MM:SS format. By
default, Previous 1 day is selected.
View
Select the view in which you want to display the SLA performance for all
sites in the tenant. You can choose between card and grid views. By default,
card view is selected.
Sites Not Meeting SLAs
View the sites that did not meet the defined SLA target values in the
selected time range.
Click each site to view more information about the SLA performance of
the applications and application groups in the site. See “Viewing the SLA
Performance of a Site” on page 267.
Sites Meeting SLAs With Switch
View the sites that switched WAN links to meet the defined SLA target
values in the selected time range.
Click each site to view more information about the SLA performance of
the applications and application groups in the site. See “Viewing the SLA
Performance of a Site” on page 267.
Sites Meeting SLAs Without Switch
View the sites that met the defined SLA target values in the selected time
range without switching WAN links.
Click each site to view more information about the SLA performance of
the applications and application groups in the site. See “Viewing the SLA
Performance of a Site” on page 267.
Table 157 on page 266 describes the fields in the card and grid views.
Table 157: Fields on the SLA Performance of a Single Tenant Page in Card and Grid Views
Field
View
Description
Name
Card and Grid
View the name of the site.
SLA not met (Time)
Card and Grid
View the average time (in %) during
which all the sites in a tenant did not
meet the defined SLA target values.
266
Copyright © 2018, Juniper Networks, Inc.
Chapter 29: Monitoring Applications
Table 157: Fields on the SLA Performance of a Single Tenant Page in Card and Grid
Views (continued)
Field
View
Description
Profiles
Card
Profile SLA Not Met
Grid
View the time (in %) during which
defined SLA target values were not met
for each SLA profile. The top two profiles
with highest priority and the percentage
of time during which SLA target values
were not met are listed. The remaining
profiles and their combined sum of time
(in %) for which SLA target values were
not met are listed under Others. The SLA
profile priority is indicated within the
circle. You can define priority of the SLA
profile when you create an SLA profile.
Hover over the profile priority to view the
SLA profile name.
App - Groups
Card and Grid
View the total number of applications
and application groups in the site.
Switch Events
Card and Grid
View the number of times the site
switched WAN links over the number of
designated WAN links. A switch event,
also called SD-WAN event, occurs when
a site switches WAN links to meet the
SLA requirements.
Switch Events Per Profile
Card and Grid
View the number of times the site
switched WAN links for each profile. You
can view the switch events for the top
two SLA profiles in the decreasing order
of switch events for each profile.
Related
Documentation
•
Viewing the SLA Performance of a Site on page 267
•
Viewing the SLA Performance of an Application or Application Group on page 272
•
SD-WAN Events Overview on page 261
•
Creating SLA Profiles on page 339
Viewing the SLA Performance of a Site
You can use the Monitor > Applications > Tenant_name SLA Performance > Site_name SLA
Performance page in the Customer Portal to view the SLA performance for all applications
and application groups in a site. You can view the SLA performance for all applications
and application groups in a site for a specified time range and in graph or grid views.
Copyright © 2018, Juniper Networks, Inc.
267
Contrail Service Orchestration User Guide
The Site_name SLA Performance page is divided into the following sections:
•
SLA Not Met by SLA Profiles on page 268
•
Applications SLA Performance by Throughput on page 269
•
SLA Performance for ALL on page 271
SLA Not Met by SLA Profiles
You can use the SLA Not Met by SLA Profiles section on the Site_name SLA Performance
page to view the SLA profiles for which SLA requirements were not met and the time at
which they were not met. The y-axis represents the SLA profiles and the x-axis represents
the specified time range. The SLA Not Met by SLA Profiles section can be viewed and
remains the same in both graph and grid views.
To view a graphical representation of SLA profiles for which SLA target values were not
met:
1.
Select the time range for which you want to view the SLA profiles for which SLA target
values were not met. You can choose from Previous 1 hour, Previous 1 day, Previous 1
week, Previous 1 month, and Custom. For custom time, you must enter from and to
dates in MM/DD/YYYY format and the time in HH:MM:SS format. By default, Previous
1 day is selected.
The graphical representation of SLA profiles for which SLA target values were not
met is displayed for the selected time range.
2. (Optional) You can use the sliders at the sides of the graph to further customize the
time range.
The graphical representation of SLA profiles for which SLA target values were not
met is refreshed and displayed for the customized time range. The graphical
representation of SLA performance data in the subsequent sections on the page is
also refreshed and displayed for the customized time range.
268
Copyright © 2018, Juniper Networks, Inc.
Chapter 29: Monitoring Applications
Applications SLA Performance by Throughput
You can use the Applications SLA Performance by Throughput section on the Site_name
SLA Performance page to view average throughput performance of all applications and
application groups in a site. You can also customize your view by selecting graph or grid
views. In the graph view, you can further select scatter plot or tree map.
To view a graphical representation of average throughput performance of all applications
and application groups in a site:
1.
Select Graph View at the top right of the page. By default, Graph View is selected.
A graphical representation of average throughput performance of all applications and
application groups in a site against the target throughput is displayed in the Scatter
Plot view. The y-axis represents the average throughput. 0% on the x-axis represents
the target throughput (in %) defined in the SLA profiles, while the regions on the left
and right of the target represent percentages below and above the target throughput,
respectively.
A carousel at the bottom of the section also displays the list of all applications and
application groups with their SLA profiles, target throughput, and average throughput
values.
2. Click Legend at the bottom right of the section to view the plotting legend.
The items described in the Legend are:
•
A single application is represented by a blue circle.
•
An application group is represented by a blue square.
•
An application or application group whose target throughput value in the SLA profile
was modified during runtime is represented by an uncolored circle and uncolored
square, respectively.
•
The SLA profiles are represented by their priority numbers within the colored or
uncolored circles and squares.
3. (Optional) You can use the sliders at the sides of the graph further to customize the
time range.
The carousel is refreshed for the customized time range.
4. Click the circles or squares to view more information about the application or
application groups. See “Viewing the SLA Performance of an Application or Application
Group” on page 272.
5. Select Tree Map at the top right of the section to view a list of all applications and
application groups in a site and their average throughput values.
A list of all applications and application groups in a site along with their associated
SLA profiles and the average throughput values is displayed.
Copyright © 2018, Juniper Networks, Inc.
269
Contrail Service Orchestration User Guide
To view a tabular representation of average throughput performance of all applications
and application groups in a site:
1.
Select Grid View at the top right of the page.
A list of all applications and application groups along with their SLA profiles, average
throughput, and target throughput values is displayed in a tabular format.
Table 158 on page 270 describes the fields on the Applications SLA Performance by
Throughput grid view.
Table 158: Fields on the Applications SLA Performance by Throughput Grid View
Field
Description
Name
View name of the application or application group.
SLA Profile
View the SLA profile associated with the application or application group.
Type
View the type—application or application group
Category
View the category of the application or application group. The value of Category can be
Messaging, Web, Infrastructure, Remote-Access, Multimedia, Video, and so on.
Sessions
View number of sessions consumed by the application or application group.
Throughput Avg. Performance
View the average throughput performance value (in %) of the application or application
group. The upward triangle on the left of the average throughput performance value
indicates that the average throughput is higher than the target throughput configured in
the SLA profile of the application or application group. The value (in %) denotes the
percentage above the target throughput value. Similarly, the downward triangle on the
left of the average throughput performance value indicates that the average throughput
is lower than the target throughput configured in the SLA profile of the application or
application group. The value (in %) denotes the percentage below the target throughput
value.
2. (Optional) Click the details icon to the left of the application or application group
name to view more information about the application or application group. See
“Viewing the SLA Performance of an Application or Application Group” on page 272.
270
Copyright © 2018, Juniper Networks, Inc.
Chapter 29: Monitoring Applications
SLA Performance for ALL
View a graphical representation of the performance of the SLA parameters such as
round-trip time (RTT), latency, packet loss, and jitter for the specified time range for
MPLS and Internet WAN links for all SLA profiles. The y-axis represents the SLA
parameters and the x-axis represents the specified time range. You can also view the
respective target SLA parameters in the graphs.
NOTE: The graphical representation of the performance of all SLA parameters
for the WAN links is available only in the graph view.
To view a graphical representation of the performance of all SLA parameters for the
WAN links:
•
Select All at the top right of the section. By default, All is selected.
A graphical representation of the performance of the SLA parameters such as RTT,
latency, packet loss, and jitter for the specified time range for all WAN links is displayed.
•
Select wan_0, wan_1, and so on at the top right of the section to view the performance
of the SLA parameters for the MPLS and Internet WAN links. You can enable and
configure wan_0, wan_1, and so on and map them to MPLS or Internet links when you
create a site.
The graphical representation of the performance of the SLA parameters such as RTT,
latency, packet loss, and jitter for the specified time range is refreshed and only the
performance for the selected WAN link is displayed.
•
(Optional) Click Legend at the bottom right of the section to view the plotting legend
for the horizontal dotted lines parallel to the x-axis in the graphs. The horizontal dotted
lines represent the respective target SLA parameters of the SLA profiles.
NOTE: RTT is represented as Delay on the “Application SLA Profiles” on
page 338 page.
Related
Documentation
•
About the SLA Performance of a Single Tenant Page on page 265
•
Viewing the SLA Performance of an Application or Application Group on page 272
Copyright © 2018, Juniper Networks, Inc.
271
Contrail Service Orchestration User Guide
Viewing the SLA Performance of an Application or Application Group
You can use the Monitor > Applications > Tenant-Name SLA Performance > Site-Name
SLA Performance page in the Customer Portal to view the SLA performance for individual
applications and application groups in a site. You can also view the SLA performance of
the associated SLA profile for all SLA parameters.
To view SLA performance of an application or application groups:
•
Click one of the circles or squares in the Applications SLA Performance by Throughput
section on the Site-Name SLA Performance page.
The page that appears displays SLA performance details of the application or
application group.
Table 159 on page 272 describes the fields on the application or application group SLA
Performance details page.
Table 159: Fields on the Application or Application Group Details Page
Field
Description
Category and Description
View the category of the application or application group. The category can be Messaging,
Web, Infrastructure, Remote-Access, Multimedia, Video, and so on.
You can also view a description of the application or application group.
SLA
View the name of the SLA profile associated with the application or application group.
Target
View the current target throughput defined in the SLA profile associated with the application
or application group. If the target throughput was modified during runtime, the date and time
when the throughput was modified and the previously defined throughput value are also
displayed.
Avg. Performance
View the average throughout performance (in %) above or below the configured target
throughput. The average throughput (in Mbps) is displayed within parentheses.
SLA Metrics by Throughput
View a graphical representation of the SLA metrics by throughput during the specified time
range for that application or application group. The y-axis represents the throughput (in Mbps).
The x-axis represents the specified time range. Hover over the graph to view the throughput
value and time at any specified point. You can also view the sessions consumed by the WAN
links for the application or application group time range.
272
Copyright © 2018, Juniper Networks, Inc.
Chapter 29: Monitoring Applications
Table 159: Fields on the Application or Application Group Details Page (continued)
Field
Description
Global SLA Profile
Performance
View the performance for all the SLA parameters of the SLA profile associated with the
application or application group. The SLA performance is represented by a color-coded donut
chart. The section in blue in the donut chart indicates the percentage of time during which SLA
requirements for the SLA profile were met. The section in red in the donut chart indicates the
percentage of time during which SLA requirements for the SLA profile were not met.
Click the red colored section of the donut chart to view more information about when SLA
requirements for the SLA profile were not met. The SLA Profile Performance page appears.
The SLA Profile Performance page displays the following fields:
Related
Documentation
•
SLA Profile—SLA profile associated with the application or application group
•
Target—Target throughput configured in the SLA profile
•
SLAs Not Met—Percentage of time SLA requirements were not met for the SLA profile
•
Sessions—Number of sessions consumed by the application or application group
•
Start Time—Time at which the WAN links associated with the application or application
groups started to fail meeting the SLA requirements
•
End Time—Time at which SLA profile requirements started to be met again
•
Avg Val—Average throughput (in Mbps) when the SLA requirements started to fail
•
Duration—Total duration (in seconds) during which SLA requirements were not met
•
From—Source WAN link
•
To—Destination WAN link
•
About the SLA Performance of a Single Tenant Page on page 265
•
Viewing the SLA Performance of a Site on page 267
Application Visibility Overview
You can use the Application Visibility page to view information about bandwidth
consumption, session establishment, and the risks associated with your applications.
Analyzing your network applications yields useful security management information,
such as abnormal applications that can lead to data loss, heavy bandwidth usage,
time-consuming applications, and personal applications that can elevate business risks.
Related
Documentation
•
About the Application Visibility Page on page 273
•
Selecting Devices on page 276
About the Application Visibility Page
To access this page, select Monitor > Applications > Visibility.
There are two ways in which you can view your application visibility data—Chart View or
Grid View. By default, the data is displayed in Chart View.
Copyright © 2018, Juniper Networks, Inc.
273
Contrail Service Orchestration User Guide
Tasks You Can Perform
You can perform the following tasks from this page:
•
View application visibility data in Chart View. See “Chart View” on page 274.
•
View application visibility data in Grid View. See “Grid View” on page 275.
•
Select a device to which the application visibility settings are applicable. See “Selecting
Devices” on page 276.
Chart View
Click the Chart View link for a brief summary of the top 50 applications consuming the
maximum bandwidth in your network. The data can be presented graphically as a bubble
graph, heat map, or a zoomable bubble graph. The data is refreshed automatically based
on the selected time range. You can also use the Custom button to set a custom time
range.
You can hover over your applications to view critical information such as total number
of sessions, total number of blocks, category, bandwidth consumed, risk levels, and
characteristics. You can also view the top five users accessing your application.
Table 160 on page 274 provides guidelines on using the fields on the Chart View of the
Application Visibility page.
Table 160: Fields on the Chart View
Field
Description
All Devices
Displays application visibility data for all the sites managed by CSO. Click Edit to select individual
devices for which you want to view the data.
Show By
Select from the following options to view a user’s data:
Time Span
•
Bandwidth—Shows data based on the amount of bandwidth the application has consumed for a
particular time range.
•
Number of Sessions—Shows data based on the number of sessions consumed by the application.
Select the required time range to view a user’s data.
Use the custom option to choose the time range if you want to view data for more than one day. The
time range is from 00:00 through 23:59.
Select graph
Select from the following graphical representations to view an application’s data:
•
Bubble Graph
•
Heat Map
•
Zoomable Bubble Graph
By default, data is shown in the Bubble Graph format.
274
Copyright © 2018, Juniper Networks, Inc.
Chapter 29: Monitoring Applications
Table 160: Fields on the Chart View (continued)
Field
Description
Group By
Select from the following options to view the application’s data:
•
Risk—Grouped by critical, high, unsafe, and so on.
•
Category—Grouped by categories such as web, infrastructure, and so on.
Number of Sessions
Displays the total number of application sessions.
Number of Blocks
Displays the total number of times the application was blocked.
Bandwidth
Displays the bandwidth usage of the application.
Risk Level
Displays the risk associated with the application. For example, critical, high, unsafe, and so on.
Category
Displays the category of the application. For example, web, infrastructure, and so on.
Characteristics
Displays the characteristics of the application. For example, prone to misuse, bandwidth consumer,
capable of tunneling, and so on.
Grid View
Click the Grid View link to obtain comprehensive details about applications. You can view
top users by volume, top applications by volume, top category by volume, top
characteristics by volume, and sessions by risk. You can also view the data in a tabular
format that includes sortable columns. You can sort the applications in ascending or
descending order based on application name, risk level, and so on. Table 161 on page 275
describes the widgets in this view. Use these widgets to get an overall, high-level view
of your applications, users, and the content traversing your network.
Table 161 on page 275 provides guidelines on using the fields on the Grid View of the
Application Visibility page.
Table 161: Widgets on the Grid View
Field
Description
Top Users By Volume
Top users of the application; sorted by bandwidth consumption.
Top Apps By Volume
Top applications using the network traffic, such as Amazon, Facebook, and so on, sorted by bandwidth
consumption.
Top Category By
Volume
The top category of the application, such as Web, infrastructure, and so on; sorted by bandwidth
consumption.
Top Characteristics
By Volume
Top behavioral characteristics of the application, such as whether it is highly prone to misuse, the top
bandwidth consumer, and so on.
Sessions By Risk
Number of events or sessions received; grouped by risk.
Copyright © 2018, Juniper Networks, Inc.
275
Contrail Service Orchestration User Guide
Table 162 on page 276 describes the fields in the table below the widgets. Users are
displayed by usernames or IP addresses. When you click a link, the User Visibility page
appears in a grid view, with the correct filter applied. Sessions are also displayed as links
and when you click a link, the All Events page appears with all security events.
Table 162: Detailed View of Applications
Field
Description
Application Name
Name of the application, such as Amazon, Facebook, and so on.
Risk Level
Risk associated with the application: critical, high, unsafe, moderate, low, and unknown.
Users
Total number of users accessing the application.
Volume
Bandwidth used by the application.
Total Sessions
Total number of application sessions.
No of Rejects
Total number of sessions blocked.
Category
Category of the application, such as Web, infrastructure, and so on.
Sub Category
Subcategory of the application. For example, social networking, news, and advertisements.
Characteristics
Characteristics of the application. For example, prone to misuse, bandwidth consumer, capable of
tunneling.
Related
Documentation
•
Application Visibility Overview on page 273
•
Selecting Devices on page 276
•
About the SLA Performance of a Single Tenant Page on page 265
Selecting Devices
You can select the devices to which the application visibility settings are applicable. By
default, these settings are applicable to all devices.
To select devices:
1.
Select Monitor > Applications > Visibility.
The Application Visibility page appears.
2. Click the Edit link that appears beside All Devices.
The Select Devices page appears.
3. Choose the Selective option. The available devices are displayed in the Available
column.
276
Copyright © 2018, Juniper Networks, Inc.
Chapter 29: Monitoring Applications
4. Choose the devices from the Available column and click the greater-than icon (>) to
move them to the Selected column.
5. Click OK to save your changes. If you want to discard your changes, click Cancel instead.
If you click OK, application visibility data will be displayed only for the selected devices.
Related
Documentation
•
Application Visibility Overview on page 273
•
About the Application Visibility Page on page 273
Copyright © 2018, Juniper Networks, Inc.
277
Contrail Service Orchestration User Guide
278
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 30
Monitoring Jobs
•
About the Jobs Page on page 279
•
Editing and Deleting Scheduled Jobs on page 281
•
Viewing Job Details on page 282
About the Jobs Page
To access this page, click Monitor > Jobs.
Use this page to view the list of all jobs and the jobs that are scheduled to be executed.
You can view general information about the jobs and the overall progress and status of
the jobs. You can also edit and delete scheduled jobs.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a job. See “Viewing Job Details” on page 282.
•
Edit and delete scheduled jobs. See “Editing and Deleting Scheduled Jobs” on page 281.
Field Descriptions
Table 163 on page 279 provides guidelines on using the fields on the Jobs page.
Table 163: Fields on the Jobs Page
Field
Description
Job Name
View the name of the job.
Example: MSEC_DOWNLOAD_IPS/APPLICATION_SIGNATURES_08_Jul_17_124229_024
Resource Name
View the resource name of the job.
Example: Download IPS/Application Signatures
Status
View the status of the job to know whether the job succeeded or failed.
Example: Success
Copyright © 2018, Juniper Networks, Inc.
279
Contrail Service Orchestration User Guide
Table 163: Fields on the Jobs Page (continued)
Field
Description
Owner
View the name of the owner who created the job.
Example: cspadmin
Number of Tasks
View the number of tasks associated with the job.
Example: 2
For example, the tasks site.ucpe-32 and customer.sdwan are associated with the job.
Job Type
View the job type.
Example: tssm import pop
Start Date
View the start date and time of a task associated with the job.
End State
View the end date and time of a task associated with the job.
Field Descriptions
Table 26 on page 50 provides guidelines on using the fields on the Scheduled Jobs page.
Table 164: Fields on the Scheduled Jobs Page
Field
Description
Schedule ID
View the unique ID of the scheduled job. The value is generated by the database when a new
schedule record is inserted into the database.
Example: 48
Name
View the unique name of the scheduled job.
Example: Tenant Delete_csp.tssm_remove_site_e340354716ae43859fad5ba15669eee2
Status
View the status of the last triggered job. The following states are available: scheduled, In progress,
complete, or failed.
The default status is scheduled.
Job Type
View the job type.
Example: tssm onboard tenant
Owner
View the name of the owner who scheduled the job.
Example: cspadmin
Next Run Time
280
View the time when the job is scheduled to run next.
Copyright © 2018, Juniper Networks, Inc.
Chapter 30: Monitoring Jobs
Related
Documentation
•
Editing and Deleting Scheduled Jobs on page 281
Editing and Deleting Scheduled Jobs
You can edit and delete scheduled jobs. This topic contains the following sections:
•
Editing Scheduled Jobs on page 281
•
Deleting Scheduled Jobs on page 281
Editing Scheduled Jobs
You can modify the date and time of deployment of scheduled jobs.
To modify a scheduled job:
1.
Select Monitor > Jobs > Scheduled Jobs.
The Scheduled Jobs page appears.
2. Select the job that you want to reschedule the deployment, and click the edit icon.
The Edit Schedule page appears.
3. To execute the job immediately, delete the existing scheduled entry, create a new
entry, and then select the Run now option. To reschedule the job for a later date and
time, or select the Schedule at a later time option.
4. Click Save to save the changes.
The modified job and its details are displayed on a page
Deleting Scheduled Jobs
You can delete one or more scheduled jobs.
To delete a scheduled job:
1.
Select Monitor > Jobs> Scheduled Jobs.
The Scheduled Jobs page appears with a list of jobs.
2. Select the check box of the job that you want to delete and then click the delete icon
(X).
The Confirm Delete page appears.
3. Click Yes to confirm.
The scheduled job is deleted.
Copyright © 2018, Juniper Networks, Inc.
281
Contrail Service Orchestration User Guide
Related
Documentation
•
About the Jobs Page on page 279
•
Viewing Job Details on page 282
Viewing Job Details
You can use the Detailed View page to view all the parameters of a job.
To view details of a job:
•
Right-click the job name that you want to see the detailed view for and select Detail
View, or select the job and click More > Detail View.
•
Alternatively, hover over the job name and click the Detailed View icon that appears
before it.
The Detailed View page appears, showing the details of the job and the number of tasks
associated with the job. See the relevant topic “About the Jobs Page” on page 279 for a
description of the fields on these pages.
Related
Documentation
282
•
About the Jobs Page on page 279
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 31
Managing Devices
•
About the Devices Page on page 283
•
Managing a Single CPE Device on page 285
About the Devices Page
To access this page, click Resources > Devices.
You can use the Devices page to view the list of available CPE devices at the customer
premises. You can also view information about each CPE device in the network.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Quickly view activation data created for CPEs in the widgets that appear at the top of
the page. See Table 53 on page 98.
•
Manage a single CPE. See “Managing a Single CPE Device” on page 285.
•
View details about a CPE . Click the details icon that appears when you hover over the
name of a device or click More > Details. See “Viewing Object Details” on page 223.
•
Show or hide columns about the CPE. See “Sorting Objects” on page 223.
•
Search an object about the CPE. See “Searching for Text in an Object Data Table” on
page 224.
•
Table 53 on page 98 describes widgets on the Devices page.
•
Table 54 on page 98 describes the fields on the Devices page.
Field Descriptions
Copyright © 2018, Juniper Networks, Inc.
283
Contrail Service Orchestration User Guide
Table 165: Widgets on the Devices Page
Widget
Description
CPE by Status
View the management status of the CPE devices deployed in the
cloud.
•
Pending Activation—Number of CPE devices that are yet to connect
to the regional server.
•
Activation Failed—Number of CPE devices that could not connect
to the regional server.
•
Expected—Number of CPE devices that have yet to connect to the
regional server.
•
Active—Number of CPE devices that have downloaded images, but
are not yet configured.
•
Provisioned—Number of CPE devices on which IPsec tunnels are
fully operational.
•
Provision Failed—Number of CPE devices failed if the vSRX was
not instantiated properly.
Table 166: Fields on the Devices Page
Field
Description
Device Name
View the name of the device.
Example: sunny-NFX-250
Tenant
View the name of the tenant.
Example: tenant-blue
Site Name
View the name of the tenant site.
Example: site-blue-white
Management Status
Model
View the management status of the CPE devices deployed in the cloud.
•
Expected—Regional server has the activation details for the CPE
device, but CPE device has not yet established a connection with the
server.
•
Active—CPE device has downloaded images, but not yet configured.
•
Provisioned—IPsec tunnel on NFX250 device is operational.
•
Provision_Failed—CPE device failed when the vSRX was not
instantiated properly.
View the name of the device model.
Example: NFX
Active Services
View the number of services that are activated for the device.
Example: 3
284
Copyright © 2018, Juniper Networks, Inc.
Chapter 31: Managing Devices
Table 166: Fields on the Devices Page (continued)
Field
Description
Location
View the name of the location.
Example: San Jose, CA
Status Message
View the latest status message.
Example: IPsec provision success
WAN Links
View the number of WAN links.
Example: 2
POP Name
View the name of the POP.
Example: pop_blue
Image Name
View the name of the device image file.
Example: install_nfx_fmpm_agent_1_0.sh
OS Version
View the Junos OS Release version.
Example: 15.1X49-D40
Serial Number
View the serial number of the device.
Example: DD0416AA0117
Related
Documentation
•
Managing a Single CPE Device on page 285
Managing a Single CPE Device
You can use the Devices page to view and manage a single customer premises equipment
(CPE) device at the tenant site. To access this page, click Resources > Devices >
Device-Name.
You can perform the following tasks from this page:
•
View the following information on the Overview tab:
•
Geographical location of the device at the tenant site.
•
Aggregate throughput of the device.
•
Recent alerts for the device.
•
Details of the device, such as serial number, management IP address, OS version,
device template, tenant name, site name, and site location.
Copyright © 2018, Juniper Networks, Inc.
285
Contrail Service Orchestration User Guide
•
View the following information on the Policies tab:
•
Related
Documentation
286
•
List of all policies applicable to a CPE device.
•
Click a policy name to view the rules that are applicable for the CPE device.
•
Click the edit icon at the end of the row to edit a policy. You are taken to the
Configuration > Policy page, where you can edit the policies.
•
Details about the tenant user who last updated the policy.
•
Time when the policy was last updated.
•
Deployment status of the policy.
•
Number of rules applicable to the device compared to the total number of rules
applicable to the tenant.
About the Devices Page on page 283
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 32
Managing Device Images
•
Device Images Overview on page 287
•
About the Device Images Page on page 287
•
Deleting Device Images on page 288
Device Images Overview
An image management system provides full lifecycle management of images for all
network devices, including CPE device and virtualized network function (VNF) images.
A device image is a software installation package for the CPE device or an image for a
virtual application that runs on the device. For example, for a NFX Series device platform,
you require an NFX software image and a software image for the vSRX application that
provides security functions and routing on the device.
Related
Documentation
•
About the Device Images Page on page 287
About the Device Images Page
To access this page, click Resources > Images.
You can use the Images page to view the list of device images that are available in tenant’s
network.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a device image. Click the details icon that appears when you hover
over the name of an image or click More > Details. See “Viewing Object Details” on
page 14.
•
Show or hide columns about the device image. See “Sorting Objects” on page 15.
•
Search an object for a device image. See “Searching for Text in an Object Data Table”
on page 15.
Copyright © 2018, Juniper Networks, Inc.
287
Contrail Service Orchestration User Guide
Field Descriptions
Table 76 on page 128 shows the fields on the Images page.
Table 167: Fields on the Device Images Page
Field
Description
Image Name
View the name of the device image.
Example: juniper_srx_v1.tgz
Type
View the type of the device image.
Example: VNF Image
Version
View the version number of the device image.
Example: 1.1
Vendor
View the vendor name of the device.
Example: Juniper
Size
View the size of the device image.
Example: 14 KB
Related
Documentation
•
Device Images Overview on page 287
Deleting Device Images
You can delete one or more device images from the Device Images page.
To delete a device image:
1.
Select Resources > Images.
The Images page appears with a list of device images.
2. Select the device image that you want to delete and then click the delete icon (X).
The Confirm Delete page appears.
3. Click Yes to confirm.
The Delete Success messages is displayed.
The device image is deleted.
288
Copyright © 2018, Juniper Networks, Inc.
Chapter 32: Managing Device Images
Related
Documentation
•
About the Device Images Page on page 287
Copyright © 2018, Juniper Networks, Inc.
289
Contrail Service Orchestration User Guide
290
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 33
Managing Network Services
•
Network Service Overview on page 291
•
About the Network Services Page on page 292
•
About the Service Overview Page on page 293
•
About the Service Instances Page on page 295
•
Configuring VNF Properties on page 297
•
vSRX VNF Configuration Settings on page 297
•
LxCIPtable VNF Configuration Settings on page 301
•
Cisco CSR-1000v VNF Configuration Settings on page 304
•
Riverbed Steelhead VNF Configuration Settings on page 305
•
Silver Peak VX VNF Configuration Settings on page 306
Network Service Overview
A network service is a final product offered to end users with a full description of its
functionality and specified performance.
Administrative users deploy network services between two locations in a virtual network,
so that traffic traveling in a specific direction on that link is subject to action from that
service. The term network service is defined in the ETSI Network Functions Virtualization
(NFV) standard.
A network service consists of a service chain of one or more linked network functions,
which are provided by specific virtualized network functions (VNFs), with a defined
direction for traffic flow and defined ingress and egress points. The term service chain
refers to the structure of a network service, and although not defined in the ETSI NFV
standard, this term is regularly used in NFV and software-defined networking (SDN).
A network service designer creates network services in Network Service Designer. When
the designer publishes the service to the network service catalog from Network Service
Designer, administrators can see the network service in Administration Portal.
Related
Documentation
•
About the Network Services Page on page 292
•
About the Service Overview Page on page 293
•
About the Service Instances Page on page 295
Copyright © 2018, Juniper Networks, Inc.
291
Contrail Service Orchestration User Guide
About the Network Services Page
To access this page, click Configuration > Network Services.
You can use the Network Services page to view the complete list of network services
that service designers have published to the network service catalog from network service
designer and to view information about the services. For an introduction to network
services, see “Network Service Overview” on page 291.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Quickly view important data about network services and about instances of those
services deployed at customers’ sites in the widgets that appear at the top of the page.
See Table 168 on page 292.
•
View full information about a service and about instances of a service at customer
sites. Click the name of a service in the list. See “About the Service Instances Page” on
page 295.
Field Descriptions
Table 168 on page 292 shows the descriptions of the widgets that appear at the top of
the Network Services page.
Table 168: Widgets on the Network Services Page
Widget
Description
Top Network Services Instantiated
View the numbers of instances of the three services that are most used by tenants
in the network.
This view helps you identify trends for network services, especially when you
introduce a new service.
Services with Critical Alerts
View the top three network services receiving the maximum number of critical alerts.
Top Services by POP CPU Usage
View the top three network services using the largest percentage of CPU from the
assigned CPU cores.
Table 169 on page 292 shows the descriptions of the fields on the Network Services page.
Table 169: Fields on the Network Services Page
Field
Description
Name
View the name of the service.
Click the name to view full information about a service.
Tenants
292
View thenames of the tenants that have access to the network service.
Copyright © 2018, Juniper Networks, Inc.
Chapter 33: Managing Network Services
Table 169: Fields on the Network Services Page (continued)
Field
Description
Sites
View the total number of sites at which the service is deployed for the tenant.
Example: 2
Instances
View the total number of occurrences of the service that administrative users have activated
for the tenant.
Example: 1
Last Update
View the date on which the network service designer last modified the service.
Table 170 on page 293 shows the descriptions of the fields on the Detail for network service
name page.
Table 170: Fields on the Network Service Detail Page
Field
Description
General
Configuration
View the settings that the network service designer or you have configured for this service.
Version
View the version number of the network service.
Example: 1.1
State
View the status of the network service.
Example: Published
Performance Goals
Related
Documentation
View performance parameters of the network service that include bandwidth, number of
sessions, latency, and license cost.
•
Network Service Overview on page 291
•
About the Service Overview Page on page 293
•
About the Service Instances Page on page 295
About the Service Overview Page
To access this page, click Service > Service Name > Overview.
You can use the Service Overview page to view information about a service that the
service designer has published to the network service catalog from Network Service
Designer.
Copyright © 2018, Juniper Networks, Inc.
293
Contrail Service Orchestration User Guide
Tasks You Can Perform
You can perform the following tasks from this page:
•
View administrative details about the service. See General Information in
Table 171 on page 294.
•
View resources required for the service and its performance specification. See Service
Requirements and Service Performance in Table 171 on page 294.
•
View the service chain, with its constituent VNFs. See Service Configuration in
Table 171 on page 294.
•
Configure VNFs. Click a VNF in the service chain graphic. See “vSRX VNF Configuration
Settings” on page 297.
Field Descriptions
Table 171 on page 294 provides guidelines on using the fields on the Service Overview page.
Table 171: Fields on the Service Overview Page
Field
Description
General Information
Description
View a summary about the service’s capabilities.
The network service designer provides this summary.
State
Tenants
View the state of the network service:
•
Discontinued—Service is no longer available for customers.
•
Published—Service designer has published service to network catalog, and it is available for
customers.
View the number of tenants using this service.
Service Requirements
CPU
View the number of CPUs that the service needs (cores).
Memory
View the amount of RAM that the service needs in gigabytes (GB).
Service Performance
Sessions
View the number of sessions concurrently supported by one instance of the service.
Bandwidth
View the data rate for the service in megabytes per second (Mbps) or gigabytes per second
(Gbps).
Latency
View the time a packet takes to traverse the service in milliseconds (ms) or nanoseconds (ns).
294
Copyright © 2018, Juniper Networks, Inc.
Chapter 33: Managing Network Services
Table 171: Fields on the Service Overview Page (continued)
Field
Description
License cost
Specify the license cost for the network service in USD.
Service Configuration (graphic of the service chain)
I
View the ingress point—the point at which packets enter the service.
E
View the egress point—the point at which packets exit the service.
One or more VNFs
Click to view settings for the VNF. See “vSRX VNF Configuration Settings” on page 297.
The service designer can configure the VNF settings in Network Service Designer and the
administrative user can configure the VNF settings in Customer Portal.
BEST PRACTICE: The network service designer configures settings for the virtual machine (VM)
in which the virtualized network function (VNF) resides and the administrative user configures
settings for the service, such as policies. The service designer can also configure a few example
settings for the service. These example settings should be generic and not network-specific.
Related
Documentation
•
Network Service Overview on page 291
•
About the Network Services Page on page 292
•
About the Service Instances Page on page 295
About the Service Instances Page
To access this page, click Services > Service Name > Instances
You can use the Service Instances page to view information about occurrences of the
service at specific customer sites.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a service instance. Click the details icon that appears when you
hover over the name of a service. See Table 173 on page 296.
•
Enable or disable a network service or virtualized network function (VNF) recovery.
Select a service instance and click Enable Auto Healing to enable automatic recovery
of a network service or VNF in a centralized deployment. By default, automatic recovery
of a network service or VNFs is enabled. See “Configuring VNF Properties” on page 297.
Field Descriptions
Table 172 on page 296 shows the descriptions of the fields on the Service Instances page.
Copyright © 2018, Juniper Networks, Inc.
295
Contrail Service Orchestration User Guide
Table 172: Fields on the Service Instances Page
Field
Description
Name
View the name of the occurrence of a service at a specific tenant site.
Tenant
View the name of the tenant.
Status
View the state of the service at the customer site:
•
Created—Administrative user for the tenant has enabled this service instance, which is active.
•
Blank—Administrative user for the tenant has disabled this service instance.
Site
View the name of the site at which service occurrence is available.
POP
View the POP in which the site is located.
Functions
View network functions that the service offers; for example, Network Address Translation (NAT)
or firewall.
Table 173 on page 296 shows the descriptions of the fields on the Detail for
Service-Instance-Name page.
Table 173: Fields on the Service Instance Details Page
Field
Description
General
Description
View information about this service instance.
This information is generated from data in Customer Portal.
Related
Documentation
296
•
Network Service Overview on page 291
•
About the Network Services Page on page 292
•
About the Service Overview Page on page 293
Copyright © 2018, Juniper Networks, Inc.
Chapter 33: Managing Network Services
Configuring VNF Properties
You can specify whether to enable automatic recovery of a network service or virtualized
network function (VNF) for a network service instance in a centralized deployment.
Enabling automatic recovery of a network service or VNF improves reliability of the
implementation.
Conversely, disabling automatic recovery of a network service or VNF allows you to quickly
investigate a problem with a network service or VNF itself.
To enable or disable automatic recovery of a network service or VNF:
1.
Select Services > Services Name > Instances.
The Services Instances page appears.
2. Select a service instance for which you want to enable or disable automatic recovery.
3. Click Enable Auto Healing.
The Service Properties page appears.
4. Select whether you want to enable or disable automatic recovery.
NOTE: By default, automatic recovery of a network service or VNF is
enabled.
5. Click Save.
Related
Documentation
•
About the Service Instances Page on page 295
vSRX VNF Configuration Settings
You can configure the vSRX VNF from Services > Service Name > Overview > Service
Configuration. Your service provider usually configures base settings for the virtual machine
(VM) in which the virtualized network function (VNF) resides and you configure settings
for the service, such as policies.
NOTE: A vSRX firewall virtualized network function (VNF) is always part of
a service chain for a network service on a CPE device.
Use the information in the following tables to provide values for the available settings:
Copyright © 2018, Juniper Networks, Inc.
297
Contrail Service Orchestration User Guide
•
Table 174 on page 298 shows the settings you can configure for the virtual machine
(VM) that contains the VNF.
NOTE: Your service provider usually configures the base settings and you
should not need to change them.
•
Table 175 on page 299 shows the firewall settings you can configure.
Table 174: Fields for the vSRX Base Settings
Field
Description
Host Name
For a cloud site, specify the hostname of the VM that contains the vSRX VNF. The field has no
limit on the number of characters and accepts letters, numbers, and symbols.
Example: vm-vsrx
For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure
this setting.
Loopback Address
Specify an IPv4 loopback address for the management interface of the VM.
Example: 192.0.2.25
DNS Servers
Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS name
servers.
Example: 192.0.2.35
NTP Servers
Specify the FQDNs or IP addresses of one or more NTP servers.
Example: 192.0.2.45
Syslog Servers
Specify the FQDNs or IP addresses of one or more system log servers.
Example: 192.0.2.55
Enable Re-filter
Select True to enable a stateless firewall filter that protects the Routing Engine from
denial-of-service (DoS) attacks or False to allow DoS attacks.
Example: True
Enable Default Screens
For a cloudsite, select True to enable the default screens security profile for the destination zone
or False to disable default screening.
Example: False
You cannot configure this setting for an on-premise site.
Time Zone
Specify the time zone for the VM.
Example: UTC
298
Copyright © 2018, Juniper Networks, Inc.
Chapter 33: Managing Network Services
Table 174: Fields for the vSRX Base Settings (continued)
Field
Description
Right Interface
Specify the identifier of the VM interface that transmits data.
Example: ge-0/0/1
For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure
this setting.
Left Interface
Specify the identifier of the VM interface that receives data.
Example: ge-0/0/0
For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure
this setting.
SNMP Prefix List
If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual
Appliance uses for SNMP operations when it discovers the vSRX VNF.
Example: 10.0.2.0/24
Ping Prefix List
If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual
Appliance uses for ping operations when it discovers the vSRX VNF.
Example: 10.0.2.1/24
Space Servers
If you set the Enable Re-filter field to True, specify the IP addresses of the VMs that contain the
Junos Space Virtual Appliances.
Example: 10.0.2.50
Table 175: Fields for the vSRX Firewall Settings
Field
Description
Policy Name
Specify the name of the rule. The field has no limit on the number of characters and accepts letters,
numbers, and symbols.
Example: policy-1
Source Zone
Select the security zone from which packets originate.
•
left—Interface that transmits data to the host
•
right— Interface that receives data transmitted from the host
Zone policies are applied to traffic traveling from one security zone (source zone) to another security
zone (destination zone). This combination of a source zone and a destination zone is called a context.
Example: left
Copyright © 2018, Juniper Networks, Inc.
299
Contrail Service Orchestration User Guide
Table 175: Fields for the vSRX Firewall Settings (continued)
Field
Description
Destination Zone
Select the security zone to which packets are delivered.
•
left—Interface that transmits data to the host
•
right—Interface that receives data transmitted from the host
Zone policies are applied to traffic traveling from one security zone (source zone) to another security
zone (destination zone). This combination of a source zone and a destination zone is called a context.
Example: right
Source Address
Specify the source IP address prefixes that the network service uses as match criteria for incoming traffic.
To add source addresses:
1.
Click the Source Address column.
The source-address page appears.
2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source
IP address for which the application enforces the policy.
3. If you select ipp, specify a prefix.
4. Click OK.
Example: 10.0.2.30
Destination
Address
Specify the destination IP address prefixes that the network service uses as match criteria for outgoing
traffic.
To add a destination address:
1.
Click the Destination Address column.
The destination-address page appears.
2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source
IP address for which the application enforces the policy.
3. If you select ipp, specify a prefix.
4. Click OK.
Example: 192.0.2.0/24
Action
Select permit to transmit packets that match the rule or deny to drop packets that match the rule.
Example: permit
300
Copyright © 2018, Juniper Networks, Inc.
Chapter 33: Managing Network Services
Table 175: Fields for the vSRX Firewall Settings (continued)
Field
Description
Application
Specify the applications to which the policy applies. The applications are based on protocols and ports.
To specify applications:
1.
Click the Application column.
The application page appears.
2. In the allowed_apps field, select any to match any application or app to choose specific applications.
If you select app, press and hold the Ctrl key and click the required applications from the drop-down
list.
•
junos-tcp-any
•
junos-udp-any
•
junos-ftp
•
junos-http
•
junos-https
•
junos-icmp-all
•
junos-icmp-ping
•
junos-telnet
•
junos-tftp
3. Click OK.
Example:
•
junos-tcp-any
•
junos-udp-any
Related
Documentation
•
About the Network Services Page on page 292
•
About the Service Overview Page on page 293
•
About the Service Instances Page on page 295
•
Configuring VNF Properties on page 297
LxCIPtable VNF Configuration Settings
Your service provider usually configures base settings for the virtual machine (VM) in
which the virtualized network function (VNF) resides and you configure settings for the
service, such as policies.
Use the information in the following tables to provide values for the available settings:
•
Table 176 on page 302 shows the base settings you can configure for the Linux container.
Copyright © 2018, Juniper Networks, Inc.
301
Contrail Service Orchestration User Guide
NOTE: Your service provider usually configures the base settings and you
should not need to change them.
•
Table 177 on page 302 shows the firewall settings you can configure.
•
Table 178 on page 303 shows the Network Address Translation (NAT) settings you can
configure.
Table 176: Fields for the LxCIP Base Settings
Field
Description
Loopback Address
Specify a loopback IP address.
Example: 192.0.2.10
Operation
Select add to apply the policies to a specific route or del to prevent use of the policies on
specific routes.
Example: add
Route
Specify the IP prefix of the route to which the policies should apply.
Example: 192.0.2.20/24
NextHop
Specify the IP address of a Contrail gateway network to which the VM connects.
Example: 192.0.2.20
Table 177: Fields for the LxCIP Firewall Policy Settings
Field
Description
Firewall Policies
Prevent SSH Brute
Select True to prevent SSH brute attacks or False to allow SSH brute attacks.
Example: False
Prevent Ping Flood
Select True to prevent ping flood attacks or False to allow ping flood attacks.
Example: False
Forwarding Rule Settings
Destination Address
Specify the destination IP address prefix that the network service uses as a match criterion for
outgoing traffic.
Example: 192.0.2.25/24
302
Copyright © 2018, Juniper Networks, Inc.
Chapter 33: Managing Network Services
Table 177: Fields for the LxCIP Firewall Policy Settings (continued)
Field
Description
Operation
Select the operation, which applies to a chain of rules of the same type, from the drop-down list.
The following options are available:
•
append—Append the rule to a rule chain.
•
insert-before—Insert the rule before a rule with the same name.
•
delete—Replace an existing rule with this name.
Example: append
Source Address
Specify the source IP address prefix that the network service uses as a match criterion for outgoing
traffic.
Example: 192.0.2.20/24
Name
Specify the name for the rule. The field has no limit on the number of characters and accepts
letters, numbers, and symbols.
Example: vsrx-fw-policy
Action
Select the action for the rule, which applies to all traffic that matches the specified criteria.
•
accept—Transmit packets that match the policy parameters.
•
drop—Drop packets that match the policy parameters.
•
reject—Reject packets that match the policy parameters.
Example: accept
Service
Specify the service that you want the rule to match.
Example:
Type
•
http
•
smtp
Select the type of packet that the rule matches.
•
input—Packets that the network service receives that are addressed to this VM
•
forward—Packets that the network service receives that are addressed to other VMs
•
output—Packets that the network service transmits
The application creates a chain of all rules with a particular type.
Example: input
Table 178: Fields for the LxCIP NAT Policy Settings
Field
Description
Left Interface
Specify the name of the interface on which the network service enforces NAT for incoming
traffic.
Example: Eth1
Copyright © 2018, Juniper Networks, Inc.
303
Contrail Service Orchestration User Guide
Table 178: Fields for the LxCIP NAT Policy Settings (continued)
Field
Description
Right Interface
Specify the name of the interface on which the network service enforces NAT for outgoing
traffic.
Example: Eth2
Related
Documentation
•
Managing a Single Site on page 389
Cisco CSR-1000v VNF Configuration Settings
Your service provider usually configures base settings for the virtual machine (VM) in
which the virtualized network function (VNF) resides and you configure settings for the
service, such as policies. Use the information in the following tables to provide values for
the available settings:
•
Table 179 on page 304 shows the base settings you can configure for the virtual machine
(VM) that contains the VNF.
NOTE: Your service provider usually configures the base settings and you
should not need to change them.
•
Table 180 on page 305 shows the firewall settings you can configure.
Table 179: Fields for the CSR-1000v Base Settings
Field
Description
Host Name
Specify the hostname of the VM.
Example: host1
Loopback Address
Specify the IPv4 loopback IP address.
Example: 10.0.2.50
Name Servers
Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS
name servers.
Example: 10.0.2.15
NTP Servers
Specify the FQDNs or IP addresses of one or more NTP servers.
Example: ntp.example.net
304
Copyright © 2018, Juniper Networks, Inc.
Chapter 33: Managing Network Services
Table 180: Fields for the CSR-1000v Firewall Settings
Field
Description
Left Interface
Specify the identifier of the interface that transmits data to the host.
Example: GigabitEthernet2
Right Interface
Specify the identifier of the interface receiving data transmitted by the host.
Example: GigabitEthernet3
Left to Right Allowed Apps
Select the applications from the drop-down list for which the policy is enforced in outgoing
packets. The following applications are available:
•
http
•
https
•
telnet
•
ftp
•
tcp
•
udp
•
icmp
Example: http, https
Right to Left Allowed Apps
Select the application from the drop-down list for which the policy is enforced for incoming
packets. The following applications are available:
•
http
•
https
•
telnet
•
ftp
•
tcp
•
udp
•
icmp
Example: ftp, udp
Related
Documentation
•
Managing a Single Site on page 389
Riverbed Steelhead VNF Configuration Settings
You configure the Riverbed Steelhead VNF through its own software. See the Riverbed
Steelhead documentation for information about how to configure the application. You
can view the following setting:
Management IP—IP address of the sxe0 interface on JDM for the NFX250. For example:
192.0.2.25.
Related
Documentation
•
Managing a Single Site on page 389
Copyright © 2018, Juniper Networks, Inc.
305
Contrail Service Orchestration User Guide
Silver Peak VX VNF Configuration Settings
You configure the Silver Peak VX VNF through its own software. Refer to the Silver Peak
VX documentation for information on how to configure the application. You can view
the following setting on the Configure Device page:
Management IP—IP address of the sxe0 interface on JDM for the NFX250. For example:
192.0.2.25
Related
Documentation
306
•
Managing a Single Site on page 389
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 34
Managing Firewall Policies
•
Firewall Policy Overview on page 307
•
About the Firewall Policy Page on page 308
•
Firewall Policy Use Cases on page 309
•
Creating Firewall Policy Intents on page 312
•
Editing, Cloning, and Deleting Firewall Policy Intents on page 321
•
Firewall Policy Schedules Overview on page 323
•
About the Firewall Policy Schedules Page on page 323
•
Creating Schedules on page 324
•
Editing, Cloning, and Deleting Schedules on page 326
Firewall Policy Overview
Contrail Service Orchestration (CSO) provides the ability to create, modify, and delete
firewall policy intents associated with a firewall policy. Firewall policies are presented
as intent-based policies. A firewall policy intent controls transit traffic within a context
that is derived out of the end-points defined in the intent. Intent-based firewall policies
can incorporate both transport layer (Layer 4) and application layer (Layer 7) firewall
constructs in a single intent. The underlying system, automatically analyzes the intent,
translates them into the set of rules the devices understand. The choice of sequence and
the assignment happens implicitly based on the endpoints in the intent definition. The
intent consist of source and destination endpoints. Endpoints could be applications (L7),
sites or site groups, IP address/address-groups, services, or departments.
NOTE: Intent based policies are not applicable for Hybrid WAN deployments.
Firewall policies provide security functionality by enforcing intents on traffic that passes
through a device. Traffic is permitted or denied based on the action defined as the firewall
policy intent.
A firewall policy provides the following features:
•
Permits, rejects, or denies traffic based on the application in use.
Copyright © 2018, Juniper Networks, Inc.
307
Contrail Service Orchestration User Guide
Related
Documentation
•
Identifies not only HTTP but also any application running on top of it, enabling you to
properly enforce policies. For example, an application firewall intent could block HTTP
traffic from Facebook but allow Web access to HTTP traffic from Microsoft Outlook.
•
About the Firewall Policy Page on page 308
•
Firewall Policy Use Cases on page 309
•
Creating Firewall Policy Intents on page 312
•
Editing, Cloning, and Deleting Firewall Policy Intents on page 321
About the Firewall Policy Page
To access this page, select Configuration > Firewall > Firewall Policy.
Use this page to view and manage policy intents associated with your site or site groups.
You can filter and sort this information to get a better understanding of what you want
to configure.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create a firewall policy intent. See “Creating Firewall Policy Intents” on page 312.
•
Modify, clone or delete firewall policy intents. See “Editing, Cloning, and Deleting Firewall
Policy Intents” on page 321.
•
Deploy a firewall policy. See “Deploying Policies” on page 380.
NOTE: An orange line is displayed against all undeployed firewall policy
intents.
•
Search for a firewall policy intent. See “Searching for Text in an Object Data Table” on
page 224.
•
Show or hide columns. Click the Show Hide Columns icon at the top right corner of the
page.
•
View undeployed intents. Click the Show Hide Columns icon at the top right corner of
the page and select Undeployed Intent under Quick Filters.
Field Descriptions
Table 181 on page 309 provides guidelines on using the fields on the Firewall Policy page.
308
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
Table 181: Fields on the Firewall Policy Page
Field
Description
Source
Source endpoint to which a firewall policy intent applies. A source endpoint can be addresses,
sites, site groups, or departments.
Destination
Destination endpoint to which a firewall policy intent applies. A destination endpoint can
be addresses, services, sites, application signatures and groups, services and groups, or
departments.
Options
Displays scheduling and logging information applicable to the firewall policy intent.
Total
Number of intents associated with the firewall policy.
Undeployed
Number of intents associated with the firewall policy that are either created new or updated,
but are not yet deployed.
Related
Documentation
•
Firewall Policy Overview on page 307
•
Creating Firewall Policy Intents on page 312
•
Firewall Policy Use Cases on page 309
•
Editing, Cloning, and Deleting Firewall Policy Intents on page 321
•
About the Deployments Page on page 378
•
Deploying Policies on page 380
Firewall Policy Use Cases
The following examples provide an understanding of how you can construct intent-based
firewall policies for different traffic scenarios across sources and destinations.
•
Firewall Policy Use Case - 1 on page 309
•
Firewall Policy Use Case - 2 on page 310
•
Firewall Policy Use Case - 3 on page 311
•
Firewall Policy Use Case - 4 on page 311
•
Firewall Policy Use Case - 5 on page 311
Firewall Policy Use Case - 1
Define a firewall policy that controls access to specific applications for various
departments, with the following intents:
•
All PR departments located in site A and site B (which are in different geographical
locations) are permitted to access the news applications BBC and CNN.
•
All engineering departments located in site A and site B (which are in different
geographical locations) are denied access to the news applications BBC and CNN.
Copyright © 2018, Juniper Networks, Inc.
309
Contrail Service Orchestration User Guide
•
Access to Telnet and SSH applications is given only to the engineering department.
•
Access to Telnet and SSH applications is denied to all departments, except for the
engineering department.
Table 182 on page 310 shows the firewall policy intents that are to fulfil this requirement:
Table 182: Firewall Policy Use Case - 1
Source
Destination (Application)
Action
PR department, site A and PR
department, site B
BBC and CNN
Permit
Engineering department, site A and
Engineering department, site B
BBC and CNN
Deny
Engineering department
Telnet and SSH
Permit
Any (All addresses except the
engineering department)
Telnet and SSH
Deny
NOTE: The number of intents depends on the number of source sites with
the given department and the number of destination sites.
Firewall Policy Use Case - 2
Define a firewall policy that denies access to networking sites such as Facebook and
Twitter (defined as application group Social Networking) to the HR, finance, and IT
departments located in Site A.
Table 183 on page 310 shows the firewall policy intents that are needed to fulfil this
requirement:
Table 183: Firewall Policy Use Case - 2
Source Department
Destination Application Group
Action
HR, Finance, IT, site A
Application group Social Networking (Facebook
and Twitter)
Deny
NOTE: Add site A, only if the HR, Finance, or IT departments are present in
different sites, but, you only want to apply this firewall policy intent to the
HR, Finance, and IT departments present in site A, only.
310
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
Firewall Policy Use Case - 3
Define a firewall policy that controls traffic to example.com based on the services used
by the source endpoint, with the following intents:
•
The IT team in site A is permitted access to FTP and HTTP services.
•
The IT team in site B is only permitted access to the FTP service.
Table 184 on page 311 shows the firewall policy intents that are needed to fulfil this
requirement:
Table 184: Firewall Policy Use Case - 3
Source Address
Service
Destination Address
Action
IT, site A
FTP and HTTP
example.com
Permit
IT, site B
FTP
example.com
Permit
Firewall Policy Use Case - 4
Define a firewall policy that controls access to an address over the internet (HTTP) for
various sites or site groups with the following intents:
•
All addresses of site A and site B are permitted access to example.com.
•
All addresses of site group Q1 are denied access to example-one.com.
Table 185 on page 311 shows the firewall policy intents that are needed to fulfil this
requirement:
Table 185: Firewall Policy Use Case - 4
Source Address
Service
Destination Address
Action
IP address prefix, site A and
IP-Prefix, site B
HTTP
www.example.com
Permit
IP address prefix, site group Q1
HTTP
www.example-one.com
Deny
Firewall Policy Use Case - 5
Define a firewall policy where a specific IP address belonging to all sites and departments,
is permitted or denied the use HTTP or FTP as a service.
Table 186 on page 312 shows the firewall policy intents that are needed to fulfil this
requirement:
Copyright © 2018, Juniper Networks, Inc.
311
Contrail Service Orchestration User Guide
Table 186: Firewall Policy Use Case - 5
Source Address
Service
Destination Address
Action
192.0.2.0
HTTP
example.com
Permit
192.0.2.0
FTP
example.com
Deny
Related
Documentation
•
Firewall Policy Overview on page 307
•
About the Firewall Policy Page on page 308
•
Creating Firewall Policy Intents on page 312
•
Editing, Cloning, and Deleting Firewall Policy Intents on page 321
Creating Firewall Policy Intents
Use this page to configure a firewall intent that controls transit traffic within a context
(source zone to destination zone). The traffic is classified by matching its source and
destination zones, the source and destination addresses, and the application that the
traffic carries in its protocol headers with the policy database.
To configure a firewall policy intent:
1.
Select Configuration > Firewall > Firewall Policy.
2. Click the add icon (+).
The Firewall Policy page appears.
3. Complete the configuration according to the guidelines provided in
Table 187 on page 312.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
If you click OK, a new firewall policy intent with the provided configuration is created.
Table 187 on page 312 provides guidelines on using the fields on the Create Firewall Policy
page.
Table 187: Fields on the Create Firewall Policy Page
Field
Description
General Information
Name
312
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores.
No spaces are allowed and the maximum length is 255 characters. If you do not enter a
name, the intent is saved with a default name assigned by CSO.
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
Table 187: Fields on the Create Firewall Policy Page (continued)
Field
Description
Description
Enter a description for the policy intent; maximum length is 1024 characters. Comments
entered in this field are sent to the device.
Identify the traffic that the intent applies to
Copyright © 2018, Juniper Networks, Inc.
313
Contrail Service Orchestration User Guide
Table 187: Fields on the Create Firewall Policy Page (continued)
Field
Description
Source
You can select the source endpoints in one of the following ways:
•
Click on the add icon (+) to select source endpoints from the displayed list of addresses,
departments, sites and site groups, or a combination of these.
•
Select the source endpoint from the complete list of addresses, departments, sites, or
site groups.
To view the complete list of addresses, departments, or sites.
1.
Click on Source. A list of relevant end points are displayed.
2. Click on View more results link provided at the bottom of the source end points. The
complete list of addresses, departments, sites, and site groups is displayed in the
End Points panel on the right.
3. (Optional) Click the edit icon to edit the address, department, or site group endpoint.
You cannot edit a site endpoint.
4. Click check mark icon (√) to select the endpoint as a source.
•
Enter an abbreviation in the Source field to select the source endpoint from a filtered list
of source endpoints.
•
To view a filtered list of addresses, enter ADDR or addr.
•
To view a filtered list of departments, enter DEPT or dept.
•
To view a filtered list of sites, enter SITE or site.
Click the endpoints in the filtered list to select them. You can also select the endpoint
from the complete list of addresses, departments, and sites. See “Step-by-Step
Procedure” on page 314.
•
Create addresses, departments, or site groups for use as a source end point, from the
End Points panel.
To create addresses, departments, or site groups from the End Points panel:
1.
Click on the Source field.
2. Click the lesser-than icon (<) on the right.
The End Points panel appears, displaying the list of available addresses, departments,
and sites.
3. (Optional) To view more information about a source endpoint, click the details icon
on the right of the endpoint.
4. Click the add icon (+) on the top right of the panel.
5. Create addresses, departments, or site groups as source end points. See the End
Points row in this table for more information.
6. Click the check mark icon (√) if you want to add the new end point as a source.
Alternatively, if you want to discard your updates, click Cancel instead.
314
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
Table 187: Fields on the Create Firewall Policy Page (continued)
Field
Description
•
Create a new address from the Source field and use the newly created address as a
source end point:
You can create an address directly from the source, in two ways:
You can type the address directly in the Source field. If the address is valid, it is created
immediately and added as a source endpoint.
You can also create an address from Source, using the following steps:
1.
In Source, type addr. The link Add new address appears at the bottom of the list of
addresses.
2. Click on Add new address, to create a new address.
The Create Addresses page appears.
3. Configure the new address. See “Creating Addresses or Address Groups” on page 355.
4. Click Save to save the new address.
The new address is created, and will be listed as an option for the source. Select the
new address to add it to the source.
•
Create a new department from the Source field and use the newly created department
as a source end point:
To create a new department from Source:
1.
In Source, type dept. The link Add new department appears at the bottom of the list
of departments.
2. Click on Add new department, to create a new department.
The Create Department page appears.
3. Configure the new department. See “Creating a Department” on page 373.
4. Click Save to save the new department.
The new department is created, and will be listed as an option for the source. Select
the new department to add it to the source.
Copyright © 2018, Juniper Networks, Inc.
315
Contrail Service Orchestration User Guide
Table 187: Fields on the Create Firewall Policy Page (continued)
Field
Description
Destination
You can select the destination endpoints in one of the following ways:
•
Click on the add icon (+) to select destination endpoints from the displayed list of
addresses, applications, departments, services, sites, or a combination of these.
•
Select the source endpoint from the complete list of addresses, applications,
departments, services, or sites.
To view the complete list of addresses, applications, departments, services, and sites:
1.
Click on Destination. A list of relevant end points are displayed.
2. Click on View more results link provided at the bottom of the source end points options.
The complete list of addresses, applications, departments, services, and sites is
displayed in the End Points panel on the right.
3. (Optional) Click the edit icon to edit an address, application, department, or service
endpoint. You cannot edit a site endpoint.
4. Click check mark icon (√) to select the endpoint as a destination.
•
Enter an abbreviation in the Destination field to select the source endpoint from a filtered
list of source endpoints.
•
To view a filtered list of addresses, enter ADDR or addr.
•
To view a filtered list of addresses, enter APPS or apps.
•
To view a filtered list of departments, enter DEPT or dept.
•
To view a filtered list of services, enter SVCS or svcs.
•
To view a filtered list of sites, enter SITE or site.
•
To view a filtered list of site groups, enter STGP or stgp.
Click the endpoints in the filtered list to select them. You can also select the endpoint
from the complete list of addresses, applications, departments, services, and sites. See
“Step-by-Step Procedure” on page 316.
•
Create addresses, applications, departments, services, or site groups for use as a
destination end point, from the End Points panel.
To create addresses, applications, departments, services, or site groups from the End
Points panel:
1.
Click anywhere within the Destination field.
2. Click the lesser-than icon (<) on the right.
The End Points panel with the list of available addresses, applications, departments,
services, and site groups, appears on the right.
3. (Optional) To view more information about a destination endpoint, click the details
icon on the right of the endpoint.
4. Click the add icon (+) on the top right of the panel.
316
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
Table 187: Fields on the Create Firewall Policy Page (continued)
Field
Description
5. Create addresses, applications, departments, services, or site groups as destination
end points. See the End Points row in this table for more information.
6. Click the check mark icon (√) if you want to save the new end point as a destination.
Alternatively, if you want to discard your updates, click Cancel instead.
•
Create a new address from the Destination field and use the newly created address as
a destination end point:
You can create an address directly from the destination, in two ways:
You can type the address directly in the Destination field. If the address is valid, it is created
immediately and added as a source endpoint.
You can also create an address from Destination, using the following steps:
1.
In Destination, type addr. The link Add new address appears at the bottom of the list
of addresses.
2. Click on Add new address, to create a new address.
The Create Addresses page appears.
3. Configure the new address. See “Creating Addresses or Address Groups” on page 355.
4. Click Save to save the new address.
The new address is created, and will be listed as an option for the destination. Select
the new address to add it to the destination.
•
Create a new application signature group from the Destination field and use the newly
created application signature group as a destination end point:
To create a new application signature group from Destination:
1.
In Destination, type apps. The link Add new application appears at the bottom of the
list of applications.
2. Click on Add new application, to create a new application.
The Create Application Signature Group page appears.
3. Configure the new application signature group. See “Creating Application Signature
Groups” on page 369.
4. Click Save to save the new application signature group.
The new application signature group is created, and will be listed as an option for the
destination. Select the new application signature group to add it to the destination.
Copyright © 2018, Juniper Networks, Inc.
317
Contrail Service Orchestration User Guide
Table 187: Fields on the Create Firewall Policy Page (continued)
Field
Description
•
Create a new department from the Destination field and use the newly created
department as a destination end point:
To create a new department from Destination:
1.
In Destination, type dept. The link Add new department appears at the bottom of the
list of departments.
2. Click on Add new department, to create a new department.
The Create Department page appears.
3. Configure the new department. See “Creating a Department” on page 373.
4. Click Save to save the new department.
The new department is created, and will be listed as an option for the destination.
Select the new department to add it to the destination.
•
Create a new service or service group from the Destination field and use the newly created
service or service group as a destination end point:
To create a new service or service group from Destination:
1.
In Destination, type svcs. The link Add new service appears at the bottom of the list
of services.
2. Click on Add new service, to create a new service or service group.
The Create Service page appears.
3. Configure the new service or service group. See “Creating Services and Service Groups”
on page 360.
4. Click Save to save the new service or service group.
The new service or service group is created, and will be listed as an option for the
destination. Select the new service or service group to add it to the destination.
Select Action
Click the add icon (+) to choose whether you want to permit, deny, or reject traffic between
the source and destination.
•
Allow—Device permits traffic using the type of firewall authentication you applied to the
policy.
•
Deny—Device silently drops all packets for the session and does not send any active
control messages such as TCP Resets or ICMP unreachable.
•
Reject—Device sends a TCP reset if the protocol is TCP, and device sends an ICMP reset
if the protocols are UDP, ICMP, or any other IP protocol. This option is useful when dealing
with trusted resources so that applications do not waste time waiting for timeouts and
instead get the active message.
Options
318
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
Table 187: Fields on the Create Firewall Policy Page (continued)
Field
Description
Scheduling
Policy schedules enable you to define when a policy is active, and thus are an implicit match
criterion. You can define the day of the week and the time of the day when the policy is
active. For instance, you can define a security policy that opens or closes access based on
business hours. Select a pre-saved schedule and the schedule options are populated with
the selected schedule’s data.
To add a schedule to a firewall policy:
1.
Click on Scheduling, to enable scheduling.
2. Click the add icon (+), to add an existing schedule. If you want to view more results in
the End Points pane, click View more results.
Alternately, you can add a schedule from the End Points panel, by selecting the schedule
and clicking on the check mark icon (√).
3. The selected schedule is added to the firewall policy.
You can also create new schedules and then associate the schedule to your firewall policy.
To create a new schedule and then add it to a firewall policy:
1.
Click on Scheduling, to enable scheduling.
2. Click the add icon (+), and then click Add new schedule.
The Create Schedules page appears.
3. Alternately, click the lesser-than icon (<) to open the End Points panel. Click on the add
icon (+) on the top right of the panel and select Schedule.
The Create Schedules page appears.
4. Create a new schedule. See “Creating Schedules” on page 324.
The new schedule appears in the list of schedules when you click on Scheduling and in
the End Points tab, under Schedules.
5. Select the schedule and click on the add icon (+) to add it to the firewall policy.
Logging
Enable logging by selecting the Logging option.
Create source and destination endpoints
Copyright © 2018, Juniper Networks, Inc.
319
Contrail Service Orchestration User Guide
Table 187: Fields on the Create Firewall Policy Page (continued)
Field
Description
End Points
To add an end point to the source or destination:
1.
Click on Source or Destination and then click the lesser-than icon on the right side of the
page to open the End Points panel.
The End Points panel displayed the end points relevant to the source or destination
based on your selection.
•
End points from addresses, departments, and sites are displayed for source.
•
End points from addresses, applications, departments, services, and sites are displayed
for destination.
NOTE: You can also search for a specific end point using the search option.
2. (Optional) Click on the edit icon (pencil symbol) to modify an end point.
3. (Optional) Click on the details icon on the right of the endpoint, to view more information
about a source or destination endpoint.
4. Select the end point you want to add and click on the check mark icon (√) to add it the
source or destination.
The selected end point is added to the source or destination.
To create new source and destination endpoints:
1.
Click the less-than icon (<) on the right side of the page, to open the End Points panel.
2. Click on the add icon (+) on the top right of the End Points panel.
A list of end points that you can create is displayed.
3. Select the end point you want to create.
You can create the following end points:
•
Create an address. See “Creating Addresses or Address Groups” on page 355.
•
Create a site group. See “Creating Site Groups” on page 400.
•
Create a department. See “Creating a Department” on page 373.
•
Create a service. See “Creating Services and Service Groups” on page 360.
•
Create an application signature group. See “Creating Application Signature Groups”
on page 369.
•
Create a schedule. See “Creating Schedules” on page 324.
4. Click Save to create the new end point.
The created end point is listed in the End Points panel.
5. Select the end point you want to add to the source or destination, and click on the check
mark icon (√).
The end point is added to the source or destination.
320
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
Related
Documentation
•
Firewall Policy Overview on page 307
•
About the Firewall Policy Page on page 308
•
Firewall Policy Use Cases on page 309
•
Editing, Cloning, and Deleting Firewall Policy Intents on page 321
•
Creating Addresses or Address Groups on page 355
•
Creating Site Groups on page 400
•
About the Sites Page on page 383
•
Creating a Department on page 373
•
Creating Application Signature Groups on page 369
•
Creating Services and Service Groups on page 360
Editing, Cloning, and Deleting Firewall Policy Intents
You can edit, clone, and delete firewall policy intents from the Firewall Policy page.
•
Editing Firewall Policy Intents on page 321
•
Cloning Firewall Policy Intents on page 322
•
Deleting Firewall Policy Intents on page 322
Editing Firewall Policy Intents
To modify the parameters configured for a firewall policy intent:
1.
Select Configuration > Firewall > Firewall Policy.
The Firewall Policy page appears, displaying the intents associated with the policy.
2. Hover over the firewall policy intent that you want to edit, and then click on the edit
icon (pencil symbol) that appears on the right side of the intent.
The Firewall Policy page displays the same options as those that appear when you
create a new firewall policy intent.
3. Modify the parameters following the guidelines provided in “Creating Firewall Policy
Intents” on page 312.
4. Click Save to save the changes. If you want to discard your changes, click Cancel
instead.
If you click Save, the modified intent appears on the Firewall Policy page.
Copyright © 2018, Juniper Networks, Inc.
321
Contrail Service Orchestration User Guide
Cloning Firewall Policy Intents
To clone a firewall policy intent:
1.
Select Configuration > Firewall > Firewall Policy.
The Firewall Policy page appears, displaying the intents associated with the policy.
2. Hover over the firewall policy intent that you want to clone, and then click on the clone
icon that appears on the right side of the intent.
The Firewall Policy page displays the same options as those that appear when you
create a new firewall policy intent. Update the cloned intent as required.
3. Click Save to save the changes. If you want to discard your changes, click Cancel
instead.
If you click Save, the cloned intent is added to the firewall policy and appears on the
Firewall Policy page.
Deleting Firewall Policy Intents
To delete a firewall policy intent:
1.
Select Configuration > Firewall > Firewall Policy.
The Firewall Policy page appears, displaying the intents associated with the policy.
2. Select the firewall policy intent you want to delete and then click the delete icon (X)
.
An alert message appears, verifying that you want to delete the selected intent.
3. Click Yes to delete the selected intent. If you do not want to delete, click Cancel instead.
If you click OK, the selected intent is deleted from the policy.
Related
Documentation
322
•
Firewall Policy Overview on page 307
•
About the Firewall Policy Page on page 308
•
Firewall Policy Use Cases on page 309
•
Creating Firewall Policy Intents on page 312
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
Firewall Policy Schedules Overview
A schedule allows a policy to be active for a specified duration. If you want a policy to be
active during a scheduled time, you must first create a schedule for that policy or link the
policy to an existing schedule. When a schedule timeout expires, the associated policy
is deactivated and all sessions associated with the policy are also timed out.
If a policy contains a reference to a schedule, that schedule determines when the policy
is active. When a policy is active, it can be used as a possible match for traffic. A schedule
lets you restrict access to, or remove a restriction from a resource, for a period of time.
A schedule uses the following guidelines:
•
A schedule can have multiple policies associated with it; however, a policy cannot be
associated with multiple schedules.
•
A policy remains active as long as the schedule it refers to is also active.
A schedule can be active during a single time slot, as specified by a start date and time,
and a stop date and time.
Related
Documentation
•
A schedule can be active forever (recurrent), but only as specified by the daily schedule.
The schedule on a specific day (time slot) takes priority over the daily schedule.
•
A scheduler can be active during a time slot, as specified by the weekday schedule.
•
A scheduler be active within two different time slots (daily or for a specified duration).
•
About the Firewall Policy Schedules Page on page 323
•
Firewall Policy Use Cases on page 309
•
Creating Schedules on page 324
•
Editing, Cloning, and Deleting Schedules on page 326
About the Firewall Policy Schedules Page
To access this page, select Configuration > Firewall > Schedules.
The Firewall Policy Schedules page enables you to create, modify, clone, and delete
schedules. A schedule allows you to restrict access to a resource, or remove a restriction
to a resource, for a specified period of time.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create a firewall policy schedule. See “Creating Schedules” on page 324.
•
Modify, clone, or delete a firewall policy schedule. See “Editing, Cloning, and Deleting
Schedules” on page 326.
Copyright © 2018, Juniper Networks, Inc.
323
Contrail Service Orchestration User Guide
•
View the configured parameters of a schedule. Click the details icon that appears when
you hover over the name of an image or click More > Detailed View. See “Viewing Object
Details” on page 223.
•
Show or hide columns about the firewall policy schedule. See “Sorting Objects” on
page 223.
•
Search for a specific firewall policy schedule. See “Searching for Text in an Object Data
Table” on page 224.
Field Descriptions
Table 188 on page 324 provides guidelines on using the fields on the Firewall Policy
Schedules page.
Table 188: Fields on the Firewall Policy Schedules Page
Field
Description
Name
Name of the schedule; maximum length is 63 characters.
Description
Description for the schedule; maximum length is 900 characters.
Start Date
The date and time from when the schedule comes into effect.
End Date
The date and time from when the schedule ends.
Second Start Date
The second date and time from when the schedule comes into effect.
Second End Date
The second date and time from when the schedule ends.
Related
Documentation
•
Firewall Policy Schedules Overview on page 323
•
Firewall Policy Use Cases on page 309
•
Creating Schedules on page 324
•
Editing, Cloning, and Deleting Schedules on page 326
Creating Schedules
Use the Create Schedules page to create schedules. A schedule allows you to restrict
access to a resource, or remove a restriction to a resource, for a specified period of time.
To configure a schedule:
1.
Select Configuration > Firewall > Schedules.
The Firewall Policy Schedules page appears.
2. Click the add icon (+).
324
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
The Create Schedules page appears.
3. Complete the configuration of the schedule according to the guidelines provided in
Table 189 on page 325.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
A new schedule is created. You can use this schedule to activate firewall policies for the
times and dates configured in your schedules.
Table 189 on page 325 provides guidelines on using the fields to create a schedule.
Table 189: Fields on the Create Schedules Page
Field
Description
General Information
Name
Required. Enter a unique name for the service. It must begin with an alphanumeric character
and cannot exceed 63 characters. Dashes and underscores are allowed.
Description
Enter a description for your service. You should make this description as useful as possible
for all administrators.
Dates
Date Range
Select Ongoing if you want your schedules to always be active.
Select Custom to configure two sets of start and end dates for a single schedule. For the
first set, enter dates in the Start Date and End Date fields. You must enter the days in
MM/DD/YYYY format.
For the second set of the schedule, enter the start date in the Second Start Date field and
enter the end date in the Second End Date field.
Times
Time Ranges
Create a schedule to be active daily or for any specific times of the day.
Daily Options
Select Daily to make the schedule applicable daily.
Select Custom to enter specific days and times. Click on a specific day to specify time options
for an entire day, to exclude a specific day, or to enter time ranges for the selected day. You
must enter the time in HH:MM:SS format.
For example, if you click on Monday, you get a dialog box that allows you to specify whether
you want the schedule to be active all day Monday, exclude Monday from the schedule, or
have the schedule be active at specific times.
Select Specify the same time for all days to enter a date and time that is applicable for all
days.
Related
Documentation
•
Firewall Policy Schedules Overview on page 323
•
About the Firewall Policy Schedules Page on page 323
Copyright © 2018, Juniper Networks, Inc.
325
Contrail Service Orchestration User Guide
•
Firewall Policy Use Cases on page 309
•
Editing, Cloning, and Deleting Schedules on page 326
Editing, Cloning, and Deleting Schedules
You can edit, clone, and delete schedules from the Firewall Policy Schedules page.
•
Editing Schedules on page 326
•
Cloning Schedules on page 326
•
Deleting Schedules on page 327
Editing Schedules
To modify the parameters configured for a schedule:
1.
Select Configuration > Firewall > Schedules.
The Firewall Policy Schedules page appears.
2. Select the schedule that you want to edit, and then click on the edit icon (pencil
symbol) on the right top corner of the table, or right-click and select Edit Schedule.
The Edit Schedules page appears, showing the same options as when creating a new
schedule.
3. Modify the parameters according to the guidelines provided in “Creating Schedules”
on page 324.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
If you click OK, the modified schedule appears on the Firewall Policy Schedules page.
Cloning Schedules
To clone a schedule:
1.
Select Configuration > Firewall Policy > Schedules.
The Firewall Policy Schedules page appears.
2. Right-click on the schedule that you want to clone and then click Clone, or select More
> Clone.
The Clone Schedules page appears with editable fields. You can modify the parameters
according to the guidelines provided in “Creating Schedules” on page 324.
3. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
326
Copyright © 2018, Juniper Networks, Inc.
Chapter 34: Managing Firewall Policies
If you click OK, the cloned schedule appears under the scheduled it is cloned from, in the
Firewall Policy Schedules.
Deleting Schedules
To delete a schedule:
1.
Select Configuration > Firewall Policy > Schedules.
The Firewall Policy Schedules page appears.
2. Select the schedule you want to delete and then click the delete icon (X) .
An alert message appears, verifying that you want to delete the schedule.
3. Click Yes to delete the selection. If you do not want to delete, click Cancel instead.
If you click Yes, the selected schedule is deleted.
Related
Documentation
•
Firewall Policy Schedules Overview on page 323
•
About the Firewall Policy Schedules Page on page 323
•
Creating Schedules on page 324
•
Firewall Policy Use Cases on page 309
Copyright © 2018, Juniper Networks, Inc.
327
Contrail Service Orchestration User Guide
328
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 35
Managing SD-WAN
•
SLA Profiles and SD-WAN Policies Overview on page 329
•
About the SD-WAN Policy Page on page 332
•
Creating SD-WAN Policy Intents on page 333
•
Editing and Deleting SD-WAN Policy Intents on page 337
•
About the Application SLA Profiles Page on page 338
•
Creating SLA Profiles on page 339
•
Editing and Deleting SLA Profiles on page 341
SLA Profiles and SD-WAN Policies Overview
Contrail Service Orchestration (CSO) enables you to create service-level agreement
(SLA) profiles and map them to software-defined WAN (SD-WAN) policies for traffic
management.
SLA Profiles
SLA profiles are created for applications or groups of applications for all tenants. An SLA
profile consists of a set of configurable constraints that can be defined in the unified
portal for both the Administration and Customer Portals. Table 190 on page 329 lists the
categories of configurable constraints that are defined in an SLA profile.
Table 190: SLA Profile Categories
Category
Description
Path preference and
priority
Paths are the WAN links to be used for the SLA profile. You can choose an MPLS or Internet link as
a preferred path. MPLS is more latency-sensitive than Internet.
You can define priority or precedence for the SLA profile. A value of one (1) indicates highest priority.
SLA profiles with higher priorities are given precedence over SLA profiles with lower priorities. Priority
is used when SLA requirements are not met on a WAN link and the site switches WAN links to meet
the SLA requirements.
Copyright © 2018, Juniper Networks, Inc.
329
Contrail Service Orchestration User Guide
Table 190: SLA Profile Categories (continued)
SLA parameters
You can define one or more than one of the following SLA parameters:
•
Throughput—Amount of data (in Mbps) that is sent upstream and received downstream by the
site during the selected time period
•
Latency—Amount of time (in ms) that a packet of data takes to travel from one designated point
to another
•
Packet loss—Percentage of data packets dropped by the network to manage congestion
•
Jitter—Difference between the maximum and minimum round-trip times (in ms) of a packet of
data
SLA parameters have precedence over path preference. Even if one SLA parameter is defined, then
it is given a higher priority and will override the path preference. SD-WAN policies mapped to an SLA
profile with defined SLA parameters are called dynamic policies. Dynamic policies applied to sites
enable the site to override the path preference and switch WAN links when the preferred WAN link
is not meeting SLA requirements as defined in the SLA parameters.
Class of service
Class of service (CoS) provides different levels of service assurances to various forms of traffic. CoS
enables you to divide traffic into classes and offer an assured service level for each class. The classes
of service listed in increasing order of priority and sensitivity to latency are best effort, voice, interactive
video, streaming audio or video, control, and business essential. The default CoS is voice.
Rate limiters
Rate limiters are defined for traffic shaping and efficient bandwidth utilization. You can define the
following rate limiters:
•
Maximum upstream and downstream rates—The maximum upstream and downstream rate for
all applications associated with the SLA profile.
•
Maximum upstream and downstream burst sizes—The maximum size of a steady stream of traffic
sent at average rates that exceed the upstream and downstream rate limits for short periods.
NOTE: You must define at least one of the SLA parameters or path preference.
You cannot leave both path preference and SLA parameters fields blank at
the same time.
SD-WAN Policies
SLA profiles are used by SD-WAN policy intents for traffic management. SD-WAN policies
help in optimum utilization of the WAN links and efficient distribution of traffic. Every
tenant has an SD-WAN policy and intents are created in the SD-WAN policy. Policy
intents consist of the following parameters:
330
•
Source—A source endpoint that you can choose from a list of sites, site groups, and
departments or a combination of all of these. The SD-WAN policy intent is applied to
the selected source endpoint.
•
Destination—A destination endpoint that you can choose from a list of applications
and predefined or custom application groups. You can select a maximum of 32
applications or application groups as destination endpoints. The SD-WAN policy intent
is applied to the selected destination endpoint.
Copyright © 2018, Juniper Networks, Inc.
Chapter 35: Managing SD-WAN
•
SLA profile—An SLA profile that has the required constraints you want to apply to the
policy intent.
•
Intent name—A unique name for the SD-WAN policy intent.
SD-WAN supports advanced policy-based routing (APBR). APBR enables you to
dynamically define the routing behavior of the SD-WAN network based on applications.
Dynamic application-based routing makes it possible to define policies and to switch
WAN links on the fly based on the application's defined SLA parameters. The APBR
mechanism classifies sessions based on applications and application signatures and
uses policy intents to identify the best possible route for the application. When the best
possible route does not meet the application's defined SLA requirements, the SD-WAN
network finds the next best possible route to meet SLA requirements.
For example, consider an application in a site. If you want the application group to use
custom throughput, latency, or jitter, you can create an SLA profile with these custom
values. You can then create an intent and configure the intent with the application and
apply the custom SLA profile. When the intent is deployed, CSO determines the best
suited WAN link to route traffic based in the application. If the WAN link fails to meet
SLA requirements in runtime, the SD-WAN network switches WAN links to the next best
suited path.
On the basis of the configured SLA profile constraints, you can categorize SD-WAN
policies into two types:
•
Static policy—If only the path preference is defined and none of the SLA parameters
are defined in the SLA profile, then the policy is called a static policy. In static policies,
if the defined WAN link under path preference is unable to meet the SLA requirements,
link switching cannot occur and SLA performance deteriorates.
•
Dynamic policy—If one or more SLA parameters in the SLA profile are defined, then
the policy is called a dynamic policy.
In dynamic policies, because SLA parameters override the path preference, the SD-WAN
network chooses the best possible WAN link for traffic management. When an intent
is deployed on a site, if the WAN link chosen by the SD-WAN network does not meet
the SLA requirements and the network performance deteriorates, then the site switches
WAN links to meet the SLA requirements. The link switching is recorded as an SD-WAN
event and displayed in the SD-WAN Events page in the customer portal and the
Tenant_name SLA Performance pages in the administration and customer portals.
Link switching occurs only when the SD-WAN policy is dynamic because SLA
parameters override the path preference and the site is able to switch WAN links.
Related
Documentation
•
About the Application SLA Profiles Page on page 338
•
About the SD-WAN Policy Page on page 332
•
SD-WAN Events Overview on page 261
Copyright © 2018, Juniper Networks, Inc.
331
Contrail Service Orchestration User Guide
About the SD-WAN Policy Page
To access this page, select Configuration > SD-WAN > SD-WAN Policy page in the
Customer Portal.
You can use the SD-WAN Policy page to view, create, edit, and deploy SD-WAN policy
intents. SD-WAN policy intents use SLA profiles for traffic management. SD-WAN policies
help in optimum utilization of the WAN links and efficient distribution of traffic. Every
tenant has an SD-WAN policy and intents are created in the SD-WAN policy.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View existing SD-WAN policy intents.
•
Create SD-WAN policy intents. See “Creating SD-WAN Policy Intents” on page 333.
•
Edit or delete SD-WAN policy intents. See “Editing and Deleting SD-WAN Policy Intents”
on page 337.
•
Deploy SD-WAN policy intents. See “Deploying Policies” on page 380.
•
View the number of undeployed SD-WAN policy intents.
•
Search for SD-WAN policy intents using keywords. Click the search icon. Enter partial
text or full text of the keyword in the search bar and press Enter. The search results
are displayed.
Field Descriptions
Table 191 on page 332 describes the fields on the SD-WAN Policy page.
Table 191: Fields on the SD-WAN Policy Page
Field
Description
Source
View the source endpoints that are configured for the policy intents. A source endpoint is chosen from
sites, site groups, and departments or a combination of all of these to which the policy intent is applied.
Application
View the application destination endpoints that are configured for the policy intents. An application
destination endpoint is chosen from a list of applications and predefined or custom application groups
to which the policy intent is applied.
SLA Profile
View the SLA profile associated with the policy intents. The SLA profiles are used by SD-WAN policy
intents for managing traffic flow.
Options
•
Name—View the name of the policy intents.
•
Description—View the descriptions of the policy intents.
Related
Documentation
332
•
SLA Profiles and SD-WAN Policies Overview on page 329
•
Creating SD-WAN Policy Intents on page 333
Copyright © 2018, Juniper Networks, Inc.
Chapter 35: Managing SD-WAN
•
Editing and Deleting SD-WAN Policy Intents on page 337
Creating SD-WAN Policy Intents
You can create policy intents for SD-WAN policies from the SD-WAN Policy page.
To create a policy intent:
1.
Click the add icon (+) on the Configuration > SD-WAN > SD-WAN Policy in the Customer
Portal.
The options to create policy intents appear within the SD-WAN Policy page.
2. Enter the policy intent information according to the guidelines provided in
Table 192 on page 334.
3. Click Save to create the policy intent.
Alternatively, if you want to discard your updates, click Cancel instead.
Copyright © 2018, Juniper Networks, Inc.
333
Contrail Service Orchestration User Guide
Table 192: Fields on the Create SD-WAN Policy Intent Page
Field
Guidelines
Source
You can select the source endpoints in one of the following ways:
•
Select source endpoints from the displayed list of departments, sites, or site groups, or a combination of these.
Click the source endpoints to select them.
•
Select the source endpoints from the complete list of departments, sites, and site groups.
To view the complete list of departments, sites, and site groups.
1.
Click View more results. The complete list of departments, sites, and site groups is displayed in the End
Points pane on the right.
2. (Optional) Hover over a department or site group and click the edit icon to edit the department or site
group. You cannot edit a site.
3. Click the add icon (+) to select the endpoint.
•
•
Enter an abbreviation in the Source field to select the endpoint from a filtered list of departments, sites, or site
groups. To view a filtered list of departments, sites, or site groups, enter DEPT, SITE, or STGP, respectively.
The abbreviation is not case-sensitive. You can select the source endpoint in one of the following ways:
•
Click the endpoints in the filtered list to select them.
•
Click View more results to select the endpoint from the complete list of departments, sites, and site groups.
•
Click Add new department or Add new sitegroup to create new departments or site groups and select them.
The Create Site Group page or Create Department page appears based on your selection. See “Creating a
Department” on page 373 and “Creating Site Groups” on page 400 for information about creating site groups
and departments.
Create site groups or departments to select the source endpoint from the newly created site group or
department.
To create site groups or departments:
1.
Click anywhere within the Source field.
2. Click the lesser-than icon (<) on the right.
The list of available departments, sites, and site groups is displayed in the End Points pane on the right.
3. (Optional) To view more information about a source endpoint, hover over the endpoint click the details
icon.
4. Click the add icon (+) on the top right of the pane.
5. Click Department or Site Group as needed. The Create Department page or Create Site Group page appears
based on your selection. See “Creating a Department” on page 373 and “Creating Site Groups” on page 400
for information about creating departments and site groups.
6. Click the check mark icon (√) if you want to save the department or site group to the policy intent.
Alternatively, if you want to discard your updates, click Cancel instead.
334
Copyright © 2018, Juniper Networks, Inc.
Chapter 35: Managing SD-WAN
Table 192: Fields on the Create SD-WAN Policy Intent Page (continued)
Field
Guidelines
Application
You can select the application endpoints in one of the following ways:
•
Select application endpoints from the displayed list of applications and application groups. Click the endpoints
to select them.
•
Select the application endpoints from the complete list of applications and application groups.
To view the complete list of applications and applications groups.
1.
Click View more results. The complete list of applications and applications groups is displayed in the End
Points pane on the right.
2. (Optional) Hover over an application group and click the edit icon to edit the application group.
3. (Optional) Hover over an application and click the details icon to view details about the application.
4. Click the add icon (+) to select the endpoint.
•
•
Enter an abbreviation in the Application field to select the endpoint from a filtered list of applications and
application groups. To view a filtered list of applications and application groups, enter apps or APPS. You can
select the application endpoint in one of the following ways:
•
Click the endpoints in the filtered list to select them.
•
Click View more results to select the endpoint from the complete list of applications and applications groups.
•
Click Add new application to create a new application group and select the application group. The Create
Application Signature Group page appears. See “Creating Application Signature Groups” on page 369 for
information about creating application groups.
Create custom application groups to select the application endpoint from the newly created application group.
To create an application group:
1.
Click anywhere within the Application field.
2. Click the lesser-than icon (<) on the right.
The list of available applications, departments, sites, and site groups is displayed in the End Points pane
on the right.
3. Click the add icon (+) on the top right of the pane.
4. Click Application. The Create Application Signature Group page appears. See “Creating Application Signature
Groups” on page 369 for information about creating application groups.
5. Click the check mark icon (√) if you want to save the application signature group to the policy intent.
Alternatively, if you want to discard your updates, click Cancel instead.
Copyright © 2018, Juniper Networks, Inc.
335
Contrail Service Orchestration User Guide
Table 192: Fields on the Create SD-WAN Policy Intent Page (continued)
Field
Guidelines
SLA Profile
Select an SLA profile to apply to the source and application endpoints. You can select the SLA profile in one of
the following ways:
•
Select SLA profile from the displayed list of SLA profiles. Click the SLA profile to select it.
•
Select the SLA profile from the complete list of SLA profiles.
To view the complete list of SLA profiles.
1.
Click View more results. The complete list of SLA profiles is displayed in the End Points pane on the right.
2. Click the add icon (+) to select the SLA profile.
•
Select SLA profile by creating a custom SLA profile.
To create an SLA profile:
1.
Click anywhere within the SLA Profile field.
2. Click the lesser-than icon (<) on the right.
The list of SLA profiles is displayed in the End Points pane on the right.
3. Click the add icon (+) on the top right of the pane.
4. Click SLA Profile. The Create SLA Profile Page appears. See “Creating SLA Profiles” on page 339 for information
about creating SLA profiles.
5. Click the check mark icon (√) if you want to save the SLA profile to the policy intent.
Alternatively, if you want to discard your updates, click Cancel instead.
Options
Name
Enter a name for the policy intent.
Description
Enter a description for the policy intent.
Related
Documentation
336
•
SLA Profiles and SD-WAN Policies Overview on page 329
•
About the SD-WAN Policy Page on page 332
•
Editing and Deleting SD-WAN Policy Intents on page 337
•
Deploying Policies on page 380
Copyright © 2018, Juniper Networks, Inc.
Chapter 35: Managing SD-WAN
Editing and Deleting SD-WAN Policy Intents
You can edit or delete SD-WAN policy intents from the SD-WAN Policy page.
•
Editing SD-WAN Policy Intents on page 337
•
Deleting SD-WAN Policy Intents on page 337
Editing SD-WAN Policy Intents
You can edit SD-WAN policy intents from the SD-WAN Policy page.
To edit an SD-WAN policy intent:
1.
Hover over the SD-WAN policy intent that you want to edit, and then click the edit
icon that appears on the right side of the policy intent.
The options to create policy intents appear within the SD-WAN Policy page showing
the same options that you see when you create a new SD-WAN policy intent.
2. Modify the parameters according to the guidelines provided in “Creating SD-WAN
Policy Intents” on page 333.
3. Click Save to save your changes.
Alternatively, click Cancel to discard your changes.
Deleting SD-WAN Policy Intents
If an SD-WAN intent is no longer needed, you can delete SD-WAN policy intents from
the SD-WAN Policy page.
To delete SD-WAN policy intents:
1.
Select one or more policy intents that you want to delete and click the delete icon
(Χ).
A page requesting confirmation of deletion appears.
2. Click Yes to confirm that you want to delete the selected policy intents.
The policy intents are deleted.
Related
Documentation
•
SLA Profiles and SD-WAN Policies Overview on page 329
•
About the SD-WAN Policy Page on page 332
•
Creating SD-WAN Policy Intents on page 333
Copyright © 2018, Juniper Networks, Inc.
337
Contrail Service Orchestration User Guide
About the Application SLA Profiles Page
To access this page, select Configuration > SD-WAN > Application SLA Profiles in the
Customer Portal.
You can use the Application SLA Profiles page to view information about service-level
agreement (SLA) profiles for the tenant profile in which you are logged in.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details of SLA profiles for all tenants.
•
Create an SLA profile for the tenant. See “Creating SLA Profiles” on page 339.
•
Edit the configuration of an existing SLA profile. See “Editing and Deleting SLA Profiles”
on page 341.
•
Show or hide columns that contain information about SLA profiles. See “Sorting
Objects” on page 223.
•
Search for SLA profiles using keywords. Click the search icon. Enter partial text or full
text of the keyword in the search bar and press Enter. The search results are displayed.
Field Descriptions
Table 193 on page 338 shows the descriptions of the fields on the Application SLA Profiles
page.
Table 193: Fields on the Application SLA Profiles Page
Field
Description
Priority
View the SLA profile priority.
Name
View the SLA profile name.
Link Paths
View WAN link paths associated with the SLA profile.
Tenant
View the tenant associated with the SLA profile.
Class of Service
View the class of service associated with the SLA profile.
Throughput Target
View the target throughput for the SLA profile.
Latency Target
View the target latency for the SLA profile.
Packet Loss Target
View the target packet-loss for the SLA profile.
Jitter Target
View the target jitter for the SLA profile.
338
Copyright © 2018, Juniper Networks, Inc.
Chapter 35: Managing SD-WAN
Table 193: Fields on the Application SLA Profiles Page (continued)
Field
Description
Delay Target
View the target delay for the SLA profile.
Target delay is calculated as two times the target latency.
Related
Documentation
•
SLA Profiles and SD-WAN Policies Overview on page 329
•
Creating SLA Profiles on page 339
•
Editing and Deleting SLA Profiles on page 341
Creating SLA Profiles
You can use the Create SLA Profile page to create a new service-level agreement (SLA)
profile for the current tenant and configure target metrics for the SLA profile.
To add an SLA Profile to the tenant:
1.
Click the add icon (+) on the Configuration > Application SLA Profiles page in the
Customer Portal.
The Create SLA Profile page appears.
2. Enter the general SLA profile information according to the guidelines provided in
Table 194 on page 339.
3. Click Next.
The Configuration tab appears.
4. Complete the configuration according to the guidelines provided in
Table 195 on page 340.
5. Click OK to create the SLA profile. The Application SLA Profile page appears with the
new SLA profile information.
Alternatively, if you want to discard your updates, click Cancel instead.
Table 194: Create SLA Profile - General Tab
Field
Guidelines
General
Name
Enter a name for the SLA profile.
Enter a unique string of alphanumeric characters and some special characters (. -). No spaces are
allowed and the maximum length is 15 characters.
Copyright © 2018, Juniper Networks, Inc.
339
Contrail Service Orchestration User Guide
Table 194: Create SLA Profile - General Tab (continued)
Field
Guidelines
Description
Enter a description for the SLA profile; maximum length is 4096 characters.
Priority
Enter a priority or precedence for the SLA profile. A value of one (1) indicates highest priority. SLA
profiles with higher priorities are given precedence over SLA profiles with lower priorities.
Table 195: Create SLA Profile - Configuration Tab
Field
Guidelines
Configuration
Path Preference
Select the preferred WAN link to associate with the SLA profile. You can select WAN link
from MPLS or the Internet.
Class of Service
Select the preferred class of service (CoS) to associate with the SLA profile. CoS enables
you to divide traffic into classes and offer an assured service level for each class. You can
select the CoS from best effort, voice, interactive video, streaming audio or video, control
traffic, and business essential. By default, voice is selected.
Metrics Targets
Copy Target Metrics From
Select the existing SLA profile from which you want to copy target metrics. By default, no
SLA profile is selected.
Throughput
Enter the target throughput (in Mbps) for the SLA profile. Throughput is the amount of data
that is sent upstream and received downstream by the site during the selected time period.
Latency
Enter the target latency (in ms) for the SLA profile. Latency is the amount of time that a
packet of data takes to travel from one designated point to another. Target delay is calculated
as two times the target latency.
Packet Loss
Enter the target packet loss (in %) for the SLA profile. Packet loss is the percentage of data
packets dropped by the network to manage congestion.
Jitter
Enter the target jitter (in ms) for the SLA profile. Jitter is the difference between the maximum
and minimum round-trip times of a packet of data.
Advanced Configuration
Maximum Upstream Rate
Enter the maximum upstream rate (in Kbps) for all applications associated with the SLA
profile. The rate is in the range 64 through 10,485,760 Kbps.
Maximum Upstream Burst Size
Enter the maximum burst size (in bytes). The burst size is in the range 1 through 1,342,177,280
bytes.
Maximum Downstream Rate
Enter the maximum downstream rate (in Kbps) for all applications associated with the SLA
profile. The rate is in the range 64 through 10,485,760 Kbps.
Maximum Downstream Burst
Size
Enter the maximum burst size (in bytes). The burst size is in the range 1 through 1,342,177,280
bytes.
340
Copyright © 2018, Juniper Networks, Inc.
Chapter 35: Managing SD-WAN
NOTE: You can also create SLA profiles from the Configuration > SD-WAN >
SD-WAN Policies page in the Customer Portal.
Related
Documentation
•
SLA Profiles and SD-WAN Policies Overview on page 329
•
About the Application SLA Profiles Page on page 338
•
Editing and Deleting SLA Profiles on page 341
Editing and Deleting SLA Profiles
You can use the Applications SLA Profiles page to edit and delete SLA profiles.
•
Editing an SLA Profile on page 341
•
Deleting SLA Profiles on page 341
Editing an SLA Profile
To edit an SLA Profile:
1.
Select the check box for the SLA profile that you want to edit, and click the Edit icon
on the Configuration > Application SLA Profiles page in the Customer Portal.
The Edit Application SLA Profile page appears.
2. Update the general SLA profile information as needed according to the guidelines
provided in “Creating SLA Profiles” on page 339. You cannot edit the SLA profile name.
3. Click Next.
The Configuration tab appears.
4. Update the configuration parameters as needed according to the guidelines provided
in “Creating SLA Profiles” on page 339.
5. Click OK to save the updated SLA profile configuration.
The SLA profile information that you updated appears on the Application SLA Profiles
page.
Deleting SLA Profiles
You can delete the SLA profile if it is no longer needed. To delete an SLA profile:
1.
Select the check box for the SLA profile that you want to delete and click the delete
icon (Χ) on the Configuration > Application SLA Profiles page in the Customer Portal.
You can also select multiple SLA profiles.
A page requesting confirmation for the deletion appears.
Copyright © 2018, Juniper Networks, Inc.
341
Contrail Service Orchestration User Guide
2. Click Yes to confirm that you want to delete the SLA profile.
The SLA profile is deleted.
Related
Documentation
342
•
SLA Profiles and SD-WAN Policies Overview on page 329
•
About the Application SLA Profiles Page on page 338
•
Creating SLA Profiles on page 339
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 36
Managing NAT Policies
•
NAT Policies Overview on page 343
•
About the NAT Policies Page on page 344
•
Creating NAT Policies on page 345
•
Editing and Deleting NAT Policies on page 346
•
Managing NAT Policy Rules on page 347
NAT Policies Overview
Network Address Translation (NAT) is a form of network masquerading where you can
hide devices or sites between zones or interfaces. A trusted zone is a segment of a network
on which security measures are applied. It is usually assigned to the internal LAN. An
untrusted zone is the Internet. NAT modifies the IP addresses of the packets moving
between the trusted and untrusted zones.
Whenever a packet arrives at the NAT device/site, the device/site performs a translation
on the packet’s IP address by rewriting it with an IP address that was specified for external
use. After translation, the packet appears to have originated from the gateway rather
than from the original device within the network. This process hides your internal IP
addresses from the other networks and keeps your network secure.
Using NAT also enables you to use more internal IP addresses. As these IP addresses are
hidden, there is no risk of conflict with an IP address from a different network. This helps
you conserve IP addresses.
CSO supports two types of NAT:
•
Source NAT— Translates the source IP address of a packet leaving the trust zone
(outbound traffic). It translates the traffic originating from the device in the trust zone.
Using source NAT, an internal device can access the network by using the IP addresses
specified in the NAT policy. The following use cases are supported with IPv6 NAT:
•
Translation from one IPv6 subnet to another IPv6 subnet without Network Address
Port Translation (NAPT), also known as Port Address Translation (PAT).
•
Translation from IPv4 addresses to IPv6 prefixes along with IPv4 address translation.
•
Translation from IPv6 hosts to IPv6 hosts with or without NAPT.
Copyright © 2018, Juniper Networks, Inc.
343
Contrail Service Orchestration User Guide
•
Related
Documentation
•
Translation from IPv6 hosts to IPv4 hosts with or without NAPT.
•
Translation from IPv4 hosts to IPv6 hosts with or without NAPT.
Static NAT— Always translates a private IP address to the same public IP address. It
translates traffic from both sides of the network (both source and destination). For
example, a webserver with a private IP address can access the Internet using a static,
one-to-one address translation. The following use cases are supported with IPv6 NAT:
•
Mapping of one IPv6 subnet to another IPv6 subnet.
•
Mapping between one IPv6 host and another IPv6 host.
•
Mapping between IPv4 address a.b.c.d and IPv6 address Prefix::a.b.c.d.
•
Mapping between IPv4 hosts and IPv6 hosts.
•
Mapping between IPv6 hosts and IPv4 hosts.
•
About the NAT Policies Page on page 344
•
Creating NAT Policies on page 345
•
Editing and Deleting NAT Policies on page 346
•
Managing NAT Policy Rules on page 347
About the NAT Policies Page
To access this page, select Configuration > NAT > NAT Policies.
Use the NAT Policies page to create, modify, clone, and delete NAT policies and policy
rules. You can filter and sort this information to get a better understanding of what you
want to configure.
Tasks You Can Perform
You can perform the following tasks from this page:
344
•
Create a NAT policy. See “Creating NAT Policies” on page 345.
•
Modify or delete a NAT policy. See “Editing and Deleting NAT Policies” on page 346.
•
Create, modify, clone, and delete NAT policy rules. See “Managing NAT Policy Rules”
on page 347.
•
Deploy a NAT policy or NAT policy rule. See “Deploying Policies” on page 380.
•
Search for a specific NAT policy. See “Searching for Text in an Object Data Table” on
page 224.
•
Show or hide columns. Click the Show Hide Columns icon in the top right corner of the
page.
Copyright © 2018, Juniper Networks, Inc.
Chapter 36: Managing NAT Policies
Field Descriptions
Table 196 on page 345 provides guidelines on using the fields on the NAT Policies page.
Table 196: Fields on the NAT Policies Page
Field
Description
Source
Source endpoint on which the NAT policy applies. A source endpoint can be an address,
protocol, department, or port.
Installed On
Sites or site groups on which the NAT policy is assigned.
Rules
Number of rules assigned to the NAT policy.
Undeployed
Number of undeployed rules associated with the NAT policy. To deploy undeployed rules, click
Deploy. See “Deploying Policies” on page 380.
Related
Documentation
•
NAT Policies Overview on page 343
•
Creating NAT Policies on page 345
•
Editing and Deleting NAT Policies on page 346
•
Managing NAT Policy Rules on page 347
•
About the Deployments Page on page 378
•
Deploying Policies on page 380
Creating NAT Policies
Use the Create NAT Policy page to create NAT policies.
To create a NAT policy:
1.
Select Configuration > NAT > NAT Policies.
The NAT Policies page appears.
2. Click the add icon (+).
The Create NAT Policy page displays fields required for creating and configuring a NAT
policies.
3. Complete the configuration according to the guidelines provided in
Table 197 on page 346.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
A NAT policy with the configuration you provided is created.
Copyright © 2018, Juniper Networks, Inc.
345
Contrail Service Orchestration User Guide
Table 197 on page 346 provides guidelines on using the fields on the Create NAT Policy
page.
Table 197: Fields on the Create NAT Policy Page
Field
Description
Name
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores.
No spaces are allowed and the maximum length is 255 characters.
Manage Proxy ARP
Select this option to enable CSO-managed proxy Address Resolution Protocol (ARP).
Auto ARP Configuration
Select this option to respond to incoming ARP requests. ARP translates IPv4 addresses to
MAC addresses.
Sites Applied On
Select the sites on which you want to apply the policy in the Available column and move them
to the Selected column by clicking the greater-than icon (>).
Sequence No.
Click Select Policy Sequence. The Select Policy Sequence page appears, displaying all NAT
policies. Select the policy you want to reorder and select Move Policy Up or Move Policy Down
to reorder your NAT policy among the existing policies.
Related
Documentation
•
NAT Policies Overview on page 343
•
About the NAT Policies Page on page 344
•
Editing and Deleting NAT Policies on page 346
•
Managing NAT Policy Rules on page 347
Editing and Deleting NAT Policies
You can edit, clone, and delete firewall policy intents from the NAT Policies page.
•
Editing NAT Policies on page 346
•
Deleting NAT Policies on page 347
Editing NAT Policies
To modify the parameters configured for a NAT Policy:
1.
Select Configuration > NAT > NAT Policies.
The NAT Policies page appears.
2. Hover over the NAT policy you want to edit, and then click on the edit icon (pencil
symbol) on the right side of the table.
The Edit NAT Policy page appears, showing the same fields as those seen when you
create a new NAT policy.
346
Copyright © 2018, Juniper Networks, Inc.
Chapter 36: Managing NAT Policies
3. Modify the parameters according to the guidelines provided in “Creating NAT Policies”
on page 345.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
If you click OK, you will see the modified NAT policy in the NAT Policies page.
Deleting NAT Policies
To delete a NAT policy:
1.
Select Configuration > NAT > NAT Policies.
The NAT Policies page appears.
2. Hover over the NAT policy you want to delete and then click the delete icon (X) .
An alert message appears, verifying that you want to delete your selection.
3. Click Yes to delete the selection. If you do not want to delete, click Cancel instead.
If you click Yes, the selected NAT policy is deleted.
Related
Documentation
•
NAT Policies Overview on page 343
•
About the NAT Policies Page on page 344
•
Creating NAT Policies on page 345
•
Managing NAT Policy Rules on page 347
Managing NAT Policy Rules
Use the NAT Policy Rule page to get an overall, high-level view the setting of your NAT
policy rules. Details help you keep track of the number and order of rules for each policy.
You can filter and sort this information to get a better understanding of what you want
to view.
•
Creating NAT Policy Rules on page 348
•
Editing NAT Policy Rules on page 349
•
Cloning NAT Policy Rules on page 350
•
Deleting NAT Policy Rules on page 350
•
Deploying NAT Policy Rules on page 351
Copyright © 2018, Juniper Networks, Inc.
347
Contrail Service Orchestration User Guide
Creating NAT Policy Rules
NAT processing centers on the evaluation of NAT rule sets and rules. A rule set determines
the overall direction of the traffic to be processed. After a rule set that matches the traffic
is found, each rule in the rule set is evaluated for a match. NAT rules can match on the
following packet information:
•
Source and destination address
•
Source port (for source and static NAT only)
•
Destination port
The first rule in the rule set that matches the traffic is used. If a packet matches a rule in
a rule set during session establishment, traffic is processed according to the action
specified by that rule.
To create a new NAT policy, click on the NAT policy name; the NAT Policy page appears
providing your with options to configure NAT rules. You can configure the following types
of NAT rules:
•
Source
•
Static
•
Destination
Depending on the type of rule you have chosen, some fields in the rule will not be
applicable. In addition to defining rules between zones and interfaces, you can define
NAT rules with virtual routers defined on the device. These rules can be successfully
published and updated on the device.
To create a NAT policy rule:
1.
Select Configuration > NAT > NAT Policies.
The NAT Policies page appears, displayed the existing NAT policies.
2. Click on the name of the NAT policy for which you want to create rules.
The NAT Policy page appears.
3. Click Create and select either Source or Static. The page displays fields for creating a
NAT policy rule.
4. Complete the configuration according to the guidelines provided in
Table 198 on page 349.
5. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
A NAT policy rule with the configuration you provided is created.
348
Copyright © 2018, Juniper Networks, Inc.
Chapter 36: Managing NAT Policies
Table 198 on page 349 provides guidelines on using the fields on the create NAT policy
rule page.
Table 198: Fields on the Create NAT Policy Rule Page
Field
Description
Name
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores.
No spaces are allowed and the maximum length is 255 characters.
Source Packet
Select the source packet to which the NAT policy rule applies, from the available list. A source
packet can be an address, a protocol, or a port.
Destination Packet
Select the destination packet to which the NAT policy rule applies to, from the available list.
A destination package can be an address, a service, or a port.
Translated Packet
Translated source or destination packet.
Translation Type
Specify the translation type for the incoming traffic, from the following options:
•
No Translation—No translation is required for the incoming traffic.
•
Interface—Performs interface-based translations on the source or destination packet.
If you create a static NAT policy rule, the value of the Translation Type field is Address by default.
You can provide the translation address in the Translated Address field or choose the
Corresponding IPv4 address.
Translated Address (Only for
static NAT policy rule)
Select an address from the available list.
End Points
Create source and destination endpoints such as addresses and services.
•
To create an address, click the add icon (+) and select Address. See “Creating Addresses
or Address Groups” on page 355 to configure the parameters of the address.
•
To create a service, click the add icon (+) and select Service. See “Creating Services and
Service Groups” on page 360 to configure the parameters of the service.
To edit the configured parameters of an address or service, hover over it and click on the edit
icon (pencil symbol).
Editing NAT Policy Rules
To modify the parameters configured for an NAT policy rule:
1.
Select Configuration > NAT > NAT Policies.
The NAT Policies page appears, displaying the NAT policies.
2. Select the NAT policy whose rules you want to edit.
The selected NAT Policy appears, displaying the rules associated with the NAT policy.
Copyright © 2018, Juniper Networks, Inc.
349
Contrail Service Orchestration User Guide
3. Hover over the NAT policy rule that you want to modify and click on the edit icon
(pencil symbol) that appears on the right side of the NAT policy rule. The page changes
to display the same fields that you use to create a NAT policy rule.
4. Complete the configuration according to the guidelines provided in
Table 198 on page 349.
5. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
The modified NAT policy rule appears on the NAT Policy page.
Cloning NAT Policy Rules
To clone a NAT policy rule:
1.
Select Configuration > NAT > NAT Policies.
The NAT Policies page appears, displaying the NAT policies.
2. Select the NAT policy whose rule you want to clone.
The selected NAT Policy appears, displaying the rules associated with the NAT policy.
3. Hover over the NAT policy rule that you want to clone and click on the clone icon that
appears on the right side of the NAT policy rule.
The cloned NAT policy rule appears below the current rule.
You can modify the parameters configured for the cloned NAT policy rule or rename it
as required.
Deleting NAT Policy Rules
To delete a NAT policy rule:
1.
Select Configuration > NAT > NAT Policies.
The NAT Policies page appears, displaying the NAT policies.
2. Select the NAT policy whose rule you want to delete.
The selected NAT Policy appears, displaying the rules associated with the NAT policy.
3. Hover over the NAT policy rule you want to delete and then click the delete icon (X)
.
An alert message appears, verifying that you want to delete your selection.
4. Click Yes to delete the selection. If you do not want to delete, click Cancel instead.
350
Copyright © 2018, Juniper Networks, Inc.
Chapter 36: Managing NAT Policies
If you click Yes, the selected NAT policy rule is deleted.
Deploying NAT Policy Rules
To deploy an NAT policy rule:
1.
Select Configuration > NAT Policy > Policies.
2. Click on the name of the NAT policy rules displayed.
The NAT policy rule page appears.
3. Select the NAT policy rule you want to deploy and then click Deploy.
The Deploy page appears.
4. Configure your deployment as required. See “Deploying Policies” on page 380.
Related
Documentation
•
NAT Policies Overview on page 343
•
About the NAT Policies Page on page 344
•
Creating NAT Policies on page 345
•
Editing and Deleting NAT Policies on page 346
•
Deploying Policies on page 380
Copyright © 2018, Juniper Networks, Inc.
351
Contrail Service Orchestration User Guide
352
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 37
Managing Shared Objects
•
Addresses and Address Groups Overview on page 353
•
About the Addresses Page on page 354
•
Creating Addresses or Address Groups on page 355
•
Editing, Cloning, and Deleting Addresses and Address Groups on page 357
•
Services and Service Groups Overview on page 359
•
About the Services Page on page 359
•
Creating Services and Service Groups on page 360
•
Creating Protocols on page 362
•
Editing and Deleting Protocols on page 365
•
Editing, Cloning, and Deleting Services and Service Groups on page 366
•
Application Signatures Overview on page 368
•
About the Application Signatures Page on page 368
•
Creating Application Signature Groups on page 369
•
Editing, Cloning, and Deleting Application Signature Groups on page 370
•
About the Departments Page on page 372
•
Creating a Department on page 373
•
Modifying a Department on page 374
•
Deleting a Department on page 374
Addresses and Address Groups Overview
An address specifies an IP address or a hostname. You can create addresses that can
be used across all policies. Addresses are used in firewall and NAT services and apply to
the corresponding policies. If you know only the hostname, you enter it into the Hostname
field and use the address resolution option to resolve it to an IP address. You can also
resolve an IP address to the corresponding hostname.
After you create an address, you can combine it with other addresses to form an address
group. Address groups are useful when you want to apply the same policy to multiple
addresses.
Copyright © 2018, Juniper Networks, Inc.
353
Contrail Service Orchestration User Guide
Contrail Service Orchestration (CSO) manages its address book at the global level,
assigning objects to devices that are required to create policies. An address book is a
collection of addresses and address groups that are available in a security zone. If the
device is capable of using a global address book, CSO pushes address objects used in
the policies to the global address book of the device.
Related
Documentation
•
About the Addresses Page on page 354
•
Creating Addresses or Address Groups on page 355
•
Editing, Cloning, and Deleting Addresses and Address Groups on page 357
About the Addresses Page
To access this page, select Configuration > Shared Objects > Addresses.
Use this page to create, edit, and delete addresses and address groups. Addresses and
address groups are used in firewall and NAT services. After you create an address, you
can combine it with other addresses to form an address group. Address groups are useful
when you want to apply the same policy to multiple services.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create an address or address group. See “Creating Addresses or Address Groups” on
page 355.
•
Modify, clone, or delete an address or address group. See “Editing, Cloning, and Deleting
Addresses and Address Groups” on page 357.
•
View the configured parameters of an address or address group. Click the details icon
that appears when you hover over the name of an image or select More > Detailed View.
See “Viewing Object Details” on page 223.
•
Show or hide columns about the address or address group. See “Sorting Objects” on
page 223.
•
Search for an address or address group. See “Searching for Text in an Object Data
Table” on page 224.
Field Descriptions
Table 199 on page 354 provides guidelines on using the fields on the Addresses page.
Table 199: Fields on the Addresses Page
Field
Description
Name
View the name of the address or address group.
Type
View the type of the address or address group.
354
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
Table 199: Fields on the Addresses Page (continued)
Field
Description
Hostname
View the hostname of the address.
IP Address
View the IP address associated with the address.
Description
View the description provided about the address or address group when it was created.
Related
Documentation
•
Addresses and Address Groups Overview on page 353
•
Creating Addresses or Address Groups on page 355
•
Editing, Cloning, and Deleting Addresses and Address Groups on page 357
Creating Addresses or Address Groups
Use the Addresses page to create addresses and address groups. Addresses and address
groups are used in firewall and NAT services. After you create an address, you can combine
it with other addresses to form an address group. Address groups are useful when you
want to apply the same policy to multiple services.
To create an address or address group:
1.
Select Configure > Shared Objects > Addresses.
The Addresses page appears.
2. Click on the add icon (+).
The Create Addresses page appears.
3. Complete the configuration according to the guidelines provided in
Table 200 on page 355 and Table 201 on page 356.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
A new address or address group with your configurations is created. You can use this
object in firewall or NAT policies.
Table 200: Fields on the Create Addresses Page
Field
Description
Object Type
Select Address or Address Group. If you select Address Group, then the screen changes so you
can select the addresses you want to include in your address group. Table 201 on page 356
describes address group configuration parameters.
Copyright © 2018, Juniper Networks, Inc.
355
Contrail Service Orchestration User Guide
Table 200: Fields on the Create Addresses Page (continued)
Field
Description
Name
Enter a unique name for the address. It must begin with an alphanumeric character and cannot
exceed 63 characters. Dashes and underscores are allowed.
Description
Enter a description for your address; maximum length is 1,024 characters. You should make this
description as useful as possible for all administrators.
Type
Select a type of address and fill in the corresponding fields. Available types are:
•
•
Host
•
Host IP—Enter the IPv4 or IPv6 host IP address. For example: 192.0.2.0 or
2001:db8:4136:e378:8000:63bf:3fff:fdd2. If you do not know the IP address, you can enter
the hostname and click Look up hostname.
•
Hostname—Enter the hostname. It must begin with an alphanumeric character and cannot
exceed 63 characters. Dashes and underscores are allowed. If you do not know the host
name, you can enter the IP address and click Look up IP address. For example, enter
www.company.com and click Look up IP address. Hostname lookup is supported for IPv4
and IPv6 addresses.
Range
•
Start Address—Enter a starting IPv4 or IPv6 address for the address range. For example:
192.0.2.0 or 2001:db8:4136:e378:8000:63bf:3fff:fdd2.
•
End Address—Enter an ending IPv4 or IPv6 address for the address range. The range is
validated after you enter the address.
NOTE: An address range is configured on a managed device as an address set with one or
more network address objects covering the specified address range.
•
•
•
Network
•
Network—Enter the network IP address. For example: 192.0.2.0. IPv6 is also supported. For
example: 2001:db8:4136:e378:8000:63bf:3fff:fdd2.
•
Subnet Mask—Enter the subnet mask for the network range. For example, IPv4 netmask:
192.0.2.0/24. The subnet mask is validated as you enter it. You must enter the correct subnet
mask in accordance with the network value. For example, IPv6 netmask:
2001:db8:4136:e378:8000:63bf:3fff:fdd2.
Wildcard
•
Network—Enter the network IPv4 or IPv6 address. For example: 192.0.2.0 or
2001:db8:4136:e378:8000:63bf:3fff:fdd2.
•
Wildcard Mask—Enter the wildcard mask for the network range. For example: 0.0.0.255.
DNS Host
•
DNS Name—Enter the DNS name. For example: company.com. Only alphanumeric
characters, dashes, and periods are accepted. This name cannot exceed 69 characters in
length, and must end with an alphanumeric character.
Table 201: Address Group Settings
Field
Description
Object Type
Select Address or Address Group. If you select Address Group, then the screen changes so you
can select the addresses you want to include in your address group. Table 200 on page 355
describes address group configuration parameters.
356
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
Table 201: Address Group Settings (continued)
Field
Description
Name
Enter a unique name for the address group. It must begin with an alphanumeric character and
cannot exceed 63 characters. Dashes and underscores are allowed.
Description
Enter a description for your address group; maximum length is 1,024 characters. You should
make this description as useful as possible for all administrators.
Addresses
Select the check box beside each address you want to include in the address group. Click the
greater-then icon (>) to move the selected address or addresses from the Available column to
the Selected column. Note that you can use the fields at the top of each column to search for
addresses.
Related
Documentation
•
Addresses and Address Groups Overview on page 353
•
About the Addresses Page on page 354
•
Editing, Cloning, and Deleting Addresses and Address Groups on page 357
Editing, Cloning, and Deleting Addresses and Address Groups
You can edit, clone, and delete addresses and address groups from the Addresses page.
•
Editing Addresses and Address Groups on page 357
•
Cloning Addresses and Address Groups on page 358
•
Deleting Addresses and Address Groups on page 358
Editing Addresses and Address Groups
To modify the parameters configured for an address or address group:
1.
Select Configuration > Shared Objects > Addresses.
The Addresses page appears.
2. Select the address or address group that you want to edit, and then click More > Edit,
or click the edit icon (pencil symbol) at the right top corner of the table, or right-click
and select Edit.
The Edit page appears, showing the same options as displayed when you create a
new address or address group.
3. Modify the parameters according to the guidelines provided in “Creating Addresses
or Address Groups” on page 355.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
Copyright © 2018, Juniper Networks, Inc.
357
Contrail Service Orchestration User Guide
When you click OK, the modified address or address group is displayed on the Addresses
page.
NOTE: When you edit an address that is a deployed as part of a policy, you
will need to redeploy that policy in order for the changes to take effect. See
“Deploying Policies” on page 380 for more information.
Cloning Addresses and Address Groups
To clone an address or address group:
1.
Select Configuration > Shared Objects > Addresses.
The Addresses page appears.
2. Right-click the address or address group that you want to clone and then click Clone,
or select More > Clone.
The Clone page appears with editable fields.
3. Modify the configured parameters of the address or address group, as required.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
If you select OK, the cloned address or address group is saved.
Deleting Addresses and Address Groups
NOTE: Only addresses or address groups that have not been referenced in
any policy can be deleted. If you try to delete such an address or address
group, an error message will be displayed.
To delete an address or address group:
1.
Select Configuration > Shared Objects > Addresses.
The Addresses page appears.
2. Select the address or address group you want to delete and then click the delete icon
(X) .
An alert message appears verifying that you want to delete your selection.
3. Click Yes to delete the address or address group. If you do not want to delete, click
Cancel instead.
358
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
If you select Yes, the selected address or address group is deleted, unless it is referenced
in a policy.
Related
Documentation
•
Addresses and Address Groups Overview on page 353
•
About the Addresses Page on page 354
•
Creating Addresses or Address Groups on page 355
•
Viewing Object Details on page 14
•
Sorting Objects on page 15
•
Searching for Text in an Object Data Table on page 15
Services and Service Groups Overview
A service refers to an application on a device. For example, Domain Name Service (DNS).
Services are based on protocols and ports used by an application, and when added to a
policy, a configured service can be applied across all devices. Services are candidates
for firewall policy end-points. The protocols used to create a service include: TCP, UDP,
MS-RPC, SUN-RPC, ICMP, and ICMPv6. Contrail Service Orchestration (CSO) also includes
predefined, commonly used services, and you cannot modify or delete them.
Once you create a service, you can combine it with other services to form a service group.
Service groups are useful when you want to apply the same policy to multiple services,
as this enables you create fewer policies.
Related
Documentation
•
About the Services Page on page 359
•
Creating Services and Service Groups on page 360
•
Editing, Cloning, and Deleting Services and Service Groups on page 366
About the Services Page
To access this page, select Configuration > Shared Objects > Services.
Use the Services page to create, modify, clone and delete service or service groups. You
can also create and manage protocols, that you use to create services.
A service refers to an application on a device, such as Domain Name Service (DNS).
Services are based on protocols and ports used by an application. When added to a
policy, a configured service can be applied across all devices. The protocols available to
create a service include: TCP, UDP, SUN-RPC, MS-RPC, ICMP, ICMPv6, and so on.
Copyright © 2018, Juniper Networks, Inc.
359
Contrail Service Orchestration User Guide
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create a service or service group. See “Creating Services and Service Groups” on page 360.
•
Modify, clone or delete a service or service group. See “Editing, Cloning, and Deleting
Services and Service Groups” on page 366.
•
View the configured parameters of a service or service group. Click the details icon that
appears when you hover over the name of a service or service group, or click More >
Detailed View. See “Viewing Object Details” on page 223.
•
Show or hide columns about the services or service groups. See “Sorting Objects” on
page 223.
•
Search a specific service or service group. See “Searching for Text in an Object Data
Table” on page 224.
Field Descriptions
Table 202 on page 360 provides guidelines on using the fields on the Services page.
Table 202: Fields on the Service Page
Field
Description
Name
Name of the service or service group.
Type
Specifies whether the object is a service or service group.
Description
Description about the service or service group.
Predefined or Custom
List of predefined services and service groups, and a list of custom services or service groups that
you created.
Related
Documentation
•
Services and Service Groups Overview on page 359
•
Creating Services and Service Groups on page 360
•
Editing, Cloning, and Deleting Services and Service Groups on page 366
Creating Services and Service Groups
Use the Create Service page to create a service. You can create services based on protocols
and ports used by an application. The protocols used to create a service include: TCP,
UDP, MS-RPC, SUN-RPC, ICMP, and ICMPv6. Once you create a service, you can combine
it with other services to form a service group. Service groups are useful when you want
to apply the same policy to multiple services.
You can also create or modify protocols that you base your services on, from the Services
page.
360
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
To configure a service or service group:
1.
Select Configuration > Shared Objects > Services.
The Services page appears.
2. Click the add icon (+) to create service or service group.
The Create Services page appears.
3. Complete the configuration of a service according to the guidelines provided in
Table 203 on page 361.
If you want to configure a service group, see Table 204 on page 361.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
A new service or service group with the configuration you provided is created. You can
use this service or service group as an endpoint in firewall policies.
Table 203 on page 361 provides guidelines on using the fields to create a service.
Table 203: Service Settings
Field
Description
Object Type
Select Service or Service Group. If you select Service Group, then the page changes so you
can select the services you want to include in your service group.
Name
Enter a unique name for the service. It must begin with an alphanumeric character and
cannot exceed 63 characters; dashes and underscores are allowed.
Description
Enter a description for your service. You should make this description as useful as possible
for all administrators.
Protocols
Select the protocol you want to associate with the service. You can use existing protocols
that are listed in the Protocols table. You can also create a new protocol, or edit existing
protocols:
•
To create a new protocol, click on the add icon (+). See “Creating Protocols” on page 362.
•
To edit an existing protocol, click on the edit icon (pencil symbol). See “Editing and Deleting
Protocols” on page 365.
Table 204 on page 361 provides guidelines on using the fields to create a service group.
Table 204: Service Group Settings
Field
Description
Object Type
Select Service or Service Group. If you select Service Group, then the screen changes so you
can select the services you want to include in your service group.
Copyright © 2018, Juniper Networks, Inc.
361
Contrail Service Orchestration User Guide
Table 204: Service Group Settings (continued)
Field
Description
Name
Enter a unique name for the service. It must begin with an alphanumeric character and
cannot exceed 63 characters; dashes and underscores are allowed.
Description
Enter a description for your service group. You should make this description as useful as
possible for all administrators.
Services
Select the service you want to include in the service group and click the greater-then icon
(>) to move the selected service or services from the Available column to the Selected
column. You can use the search field at the top of each column to search for listed services.
Related
Documentation
•
Services and Service Groups Overview on page 359
•
About the Services Page on page 359
•
Editing, Cloning, and Deleting Services and Service Groups on page 366
•
Creating Protocols on page 362
•
Editing and Deleting Protocols on page 365
Creating Protocols
Use the Create Protocol page to create TCP, UDP, MS-RPC, SUN-RPC, ICMP, and ICMPv6
protocols, that can be used in services. A service refers to an application on a device.
Services are based on protocols and ports used by an application.
To create a protocol:
1.
Select Configuration > Shared Objects > Services.
The Services page appears.
2. Click the add icon (+) to create service or service group.
The Create Services page appears.
3. Click the add icon (+) that appears about the Protocols table.
The Create Protocol page appears.
4. Complete the configuration of the protocol according to the guidelines provided in
Table 205 on page 363 and Table 206 on page 363.
5. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
A new protocol with the configuration you provided is created. You can use this protocol
to create services.
362
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
Table 205 on page 363 provides guidelines on using the fields to create a protocol.
Table 205: Fields on Create Protocol Page Settings
Field
Description
General Information
Name
Enter a unique name for the protocol. It must begin with an alphanumeric character and
cannot exceed 63 characters; dashes and underscores are allowed.
Description
Enter a description for your protocol. It cannot exceed 1,024 characters.
Type
Select the type of the protocol you want to create and fill in the corresponding fields. The
available types of protocols are: TCP, UDP, ICMP, SUN-RPC, MS-RPC, ICMPv6, and so on.
If you select TCP, continue with this table. See Table 206 on page 363 for the other protocol
types.
Destination Port
Enter a destination port number for TCP. The range is from 0 to 65, 535.
Advanced Settings
Enable Inactivity Timeout
Enabled by default. Enter a timeout value for this protocol in seconds or minutes. The
maximum values are 129,600 seconds or 2,160 minutes.
ALG
Select an ALG (Application Layer Gateway) service option if applicable.
Source Ports and Port Ranges
Enter the source port or port range for the protocol.
Table 206 on page 363 includes the settings and guidelines for the various protocol types.
Table 206: Create Protocol Type Settings
Field
Description
UDP
Destination Port
Enter a destination port number for UDP. This is a value or value range from 0 through
65,535.
Advanced Settings
Enable Inactivity Timeout
Selected by default. Enter a timeout value for this protocol in seconds or minutes. The
maximum values are 129,600 seconds and 2,160 minutes.
ALG
Select an ALG (Application Layer Gateway) service option if applicable.
Source Ports and Port Ranges
Enter a source port or port range for UDP. This is a value or value range from 0 through
65,535.
ICMP
Enable Inactivity Timeout
Enabled by default. Enter a timeout value for this protocol in seconds or minutes. The
maximum values are 129,600 seconds and 2,160 minutes.
Copyright © 2018, Juniper Networks, Inc.
363
Contrail Service Orchestration User Guide
Table 206: Create Protocol Type Settings (continued)
Field
Description
ICMP Type
Enter a value from 0 through 225 for the ICMP message type. For example, enter 1 for host
unreachable. You can find these values in RFC 792.
ICMP Code
Enter a value from 0 through 225 for the ICMP code. For example, enter 0 for echo reply.
You can find these values in RFC 792.
SUN-RPC
Destination Port (available if
Enable ALG is selected)
Enter a destination port for SUN-RPC. This is a value or value range from 0 through 65,535.
Enable Inactivity Timeout
Enabled by default. Enter a timeout value for this protocol in seconds or minutes. The
maximum values are 129,600 seconds and 2,160 minutes.
Enable ALG
Not selected by default. If you enable ALG for this protocol, you must enter a destination
port in the field that becomes available.
RPC Program Number
Enter a value or value range for the RPC (remote procedure call) service. For example, enter
100,017 for remote execution. You can find these values in RFC 5531.
Protocol Type
Select TCP or UDP for the protocol type.
MS-RPC
Destination Port (available if
Enable ALG is selected)
Enter a destination port for MS-RPC. This is a value or value range from 0 through 65,535.
Enable Inactivity Timeout
Enabled by default. Enter a timeout value for this protocol in seconds or minutes. The
maximum values are 129,600 seconds and 2,160 minutes.
Enable ALG
Not selected by default. If you enable ALG for this protocol, you must enter a destination
port number in the field that becomes available.
UUID
Enter the corresponding UUID value for the MS-RPC service. For predefined values, refer to
MS-RPC UUID Mappings.
Protocol Type
Select TCP or UDP for the protocol type.
ICMPv6
Enable Inactivity Timeout
Selected by default. Enter a timeout value for this protocol in seconds or minutes. The
maximum values are 129,600 seconds and 2,160 minutes.
ICMP Type
Enter a value from 0 through 225 for the ICMPv6 message type. You can find these values
in RFC 4443.
ICMP Code
Enter a value from 0 through 225 for the ICMPv6 code. You can find these values in RFC
4443.
Destination Port
Use other to create protocols that do not match the provided type categories. Enter a
destination port for the other protocol. This is a value or value range from 0 through 65,535.
364
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
Related
Documentation
•
Editing and Deleting Protocols on page 365
•
About the Services Page on page 359
•
Creating Services and Service Groups on page 360
Editing and Deleting Protocols
You can edit and delete protocols through the Services page.
•
Editing Protocols on page 365
•
Deleting Protocols on page 366
Editing Protocols
To modify the parameters configured for a protocol:
1.
Select Configuration > Shared Objects > Services .
The Services page appears.
2. Select the service to which the protocol you want to edit is associated, and click on
the edit icon (pencil symbol) on the right top corner of the table, or right-click and
select Edit Service.
The Edit Service page appears, listing the protocols associated with the service in
Protocols table.
3. Select the protocol that you want to edit, and then click on the edit icon (pencil symbol)
on the right top corner of the Protocols table, or right-click and select Edit Protocol.
The Edit Protocol page appears, showing the same fields as those seen when you
create a new protocol.
4. Modify the parameters of the protocol according to the guidelines provided in “Creating
Protocols” on page 362.
5. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
If you click OK, the modified protocol appears in the Protocols table.
Copyright © 2018, Juniper Networks, Inc.
365
Contrail Service Orchestration User Guide
Deleting Protocols
To delete a protocol:
1.
Select Configuration > Shared Objects > Services.
The Services page appears.
2. Select the service to which the protocol you want to delete is associated, and click
on the edit icon (pencil symbol) on the right top corner of the table, or right-click and
select Edit Service.
The Edit Service page appears, listing the protocols associated with the service in
Protocols table.
3. Select the protocol you want to delete and then click the delete icon (X) .
An alert message appears, verifying that you want to delete the protocol.
4. Click Yes to delete the protocol. If you do not want to delete, click Cancel instead.
If you click Yes, the selected protocol is deleted.
Related
Documentation
•
Services and Service Groups Overview on page 359
•
About the Services Page on page 359
•
Creating Services and Service Groups on page 360
•
Editing, Cloning, and Deleting Services and Service Groups on page 366
•
Creating Protocols on page 362
Editing, Cloning, and Deleting Services and Service Groups
You can edit, clone, and delete services and service groups from the Services page.
•
Editing Services and Service Groups on page 366
•
Cloning Services or Service Groups on page 367
•
Deleting Services and Service Groups on page 367
Editing Services and Service Groups
To modify the parameters configured for a service or service group:
1.
Select Configuration > Shared Objects > Services.
The Services page appears.
2. Select the service or service group that you want to edit, and click on the edit icon
(pencil symbol) on the right top corner of the table, or right-click and select Edit Service.
366
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
The Edit Service page appears, displaying the same options that are displayed when
creating a new service or service group.
3. Modify the parameters according to the guidelines provided in “Creating Services and
Service Groups” on page 360.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
If you click OK, you will see the modified service or service group in the Services page.
Cloning Services or Service Groups
To clone a service or service group:
1.
Select Configuration > Shared Objects > Services.
The Services page appears.
2. Right-click on the service or service group that you want to clone and then click Clone,
or select More > Clone.
The Clone Service page appears with editable fields.
3. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
If you click OK, the cloned service or service group will appear beneath the selected service
or service group.
Deleting Services and Service Groups
To delete a service or service group:
1.
Select Configuration > Shared Objects > Services.
The Services page appears.
2. Select the service or service group you want to delete and then click the delete icon
(X) .
An alert message appears, verifying that you want to delete the service or service
group.
3. Click Yes to delete the service or service group. If you do not want to delete, click
Cancel instead.
If you click Yes, the selected service or service group is deleted.
Related
Documentation
•
Services and Service Groups Overview on page 359
•
About the Services Page on page 359
Copyright © 2018, Juniper Networks, Inc.
367
Contrail Service Orchestration User Guide
•
Creating Services and Service Groups on page 360
Application Signatures Overview
Juniper Networks regularly updates the predefined application signature database, making
it available to subscribers on the Juniper Networks website. This database includes
signature definitions of known application objects that can be used to identify applications
for tracking, firewall policies, and quality-of-service prioritization.
Use the Application Signatures page to get an overall, high-level view of your application
signature settings. You can filter and sort this information to get a better understanding
of what you want to configure.
Related
Documentation
•
About the Application Signatures Page on page 368
•
Creating Application Signature Groups on page 369
•
Editing, Cloning, and Deleting Application Signature Groups on page 370
•
Signature Database Overview on page 419
About the Application Signatures Page
To access this page, select Configuration > Shared Objects > Application Signatures.
Use the Application Signatures page to view application signatures that are already
downloaded and to create, modify, clone, and delete custom application signature groups.
The Application Signatures page displays the name, object type, category and subcategory,
risk associated with, and characteristics of the signature. You can create custom
application signature groups with a set of similar signatures for consistent reuse when
defining policies.
Tasks You Can Perform
You can perform the following tasks from this page:
368
•
Create an application signature group. See “Creating Application Signature Groups”
on page 369.
•
Modify, clone, or delete an application signature group. See “Editing, Cloning, and
Deleting Application Signature Groups” on page 370.
•
View the configured parameters of an application signature or application signature
group. Click the details icon that appears when you hover over the name of an image
or click More > Details. See “Viewing Object Details” on page 223.
•
Show or hide columns in the Application Signatures. See “Sorting Objects” on page 223.
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
•
Search for a specific application signature or application signature group. See “Searching
for Text in an Object Data Table” on page 224.
•
Filter the application signature information based on select criteria. To do this, select
the filter icon at the top right-hand corner of the table. The columns in the grid change
to accept filter options. Select the filter options; the table displays only the data that
fits the filtering criteria.
Field Descriptions
Table 207 on page 369 provides guidelines on using the fields on the Application Signatures
page.
Table 207: Fields on the Application Signatures Page
Field
Description
Name
Name of the application signature or application signature group.
Object Type
Signature type—either application signature or application signature group.
Category
UTM category of the application signature. For example, the value of Category can be Messaging,
Web, Infrastructure, Remote-Access, Multimedia, and so on.
Subcategory
UTM subcategory of the application signature. For example, the value of Subcategory can be Wiki,
File-Sharing, Multimedia, Social-Networking, News, and so on.
Risk
Level of risk associated with the application signature. For example, the value of Risk can be Low,
High, unsafe, and so on.
Characteristic
One or more characteristics of the application signature.
Predefined or Custom
A list of predefined application signatures and application signature groups, and a list of custom
application signature groups that you created.
Related
Documentation
•
Application Signatures Overview on page 368
•
Creating Application Signature Groups on page 369
•
Editing, Cloning, and Deleting Application Signature Groups on page 370
•
Signature Database Overview on page 419
•
About the Active Database Page on page 420
Creating Application Signature Groups
Application identification supports custom application signatures to detect applications
as they pass through the device. When you create custom signature groups, make sure
that your signature groups are unique, by providing a unique and relevant name.
Copyright © 2018, Juniper Networks, Inc.
369
Contrail Service Orchestration User Guide
To create an application signature group:
1.
Select Configure > Shared Objects > Application Signatures.
2. Click the add icon (+).
3. Complete the configuration according to the guidelines provided in
Table 208 on page 370.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
A new application signature group with your configurations is created. You can use this
application signature group in firewall, NAT, and SD-WAN policies.
Table 208 on page 370 provides guidelines on using the fields on the Create Application
Signature Group page.
Table 208: Fields on the Create Application Signature Group Page
Field
Description
Name
Enter a unique name that is a string of alphanumeric characters, colons, periods, dashes, and
underscores. No spaces are allowed and the maximum length is 63 characters.
Group Members
Click the add icon (+) to add signatures to your application group. On the Add Application Signatures
page, select the check boxes next to the signatures you want to add to the group.
Related
Documentation
•
Application Signatures Overview on page 368
•
About the Application Signatures Page on page 368
•
Editing, Cloning, and Deleting Application Signature Groups on page 370
•
Signature Database Overview on page 419
•
About the Active Database Page on page 420
Editing, Cloning, and Deleting Application Signature Groups
You can edit, clone, and delete application signature groups from the Application
Signatures page.
370
•
Editing Application Signature Groups on page 371
•
Cloning Application Signature Groups on page 371
•
Deleting Application Signature Groups on page 371
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
Editing Application Signature Groups
To modify the parameters configured for an application signature group:
1.
Select Configuration > Shared Objects > Application Signatures.
The Application Signatures page appears.
2. Select the application signature group that you want to edit, and then select More >
Edit, or click on the edit icon (pencil symbol), on the top right corner of the table, or
right-click and select Edit.
The Edit page appears, showing the same options as those displayed when you create
a new application signature group.
3. Modify the parameters according to the guidelines provided in “Creating Application
Signature Groups” on page 369.
4. Click Save to save the changes. If you want to discard your changes, click Cancel
instead.
The modified application signature group appears in the Application Signatures page.
Cloning Application Signature Groups
You can clone an application signature group when you want to reuse an existing
application signature group, but with a few minor changes. This way, you can save time
recreating the application signature group from the start.
To clone an application signature group:
1.
Select Configuration > Shared Objects > Application Signatures.
The Application Signatures page appears.
2. Right-click the application signature group that you want to clone and then select
Clone, or select More > Clone.
The Clone page appears with editable fields.
3. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
The cloned application signature group is displayed on the Application Signatures page.
Deleting Application Signature Groups
To delete an application signature group:
1.
Select Configuration > Shared Objects > Application Signatures.
The Application Signatures page appears.
Copyright © 2018, Juniper Networks, Inc.
371
Contrail Service Orchestration User Guide
2. Select the application signature group you want to delete and then click the delete
icon (X) .
An alert message appears, verifying that you want to delete the selected item.
3. Click Yes to delete the selected application signature group. If you do not want to
delete, click Cancel instead.
Related
Documentation
•
Application Signatures Overview on page 368
•
About the Application Signatures Page on page 368
•
Creating Application Signature Groups on page 369
•
Signature Database Overview on page 419
About the Departments Page
To access this page, click Configuration > Network Services > Shared Objects >
Departments.
You can use the Departments page to create, view, edit, or delete departments. A
department is a grouping of LAN segments within a site. You use departments to apply
specific policies to LAN segments that are members of a department.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create a Department. Click Configuration > Shared Objects > Departments > Create.
See “Creating a Department” on page 373.
•
Edit a Department. Select a department and click Edit. See “Modifying a Department”
on page 374.
•
Delete a department. Select a department and click Delete. Before you delete a
department, you must reassign all the LAN segments that are assigned to the
department. You cannot delete a department that has a LAN segment assigned to it.
See “Deleting a Department” on page 374.
Field Descriptions
Table 209 on page 372 shows the descriptions of the fields on the Departments page.
Table 209: Fields on the Departments Page
Field
Description
Name
Displays the name of the department.
Site/LAN Segments
Displays the LAN segments that are assigned to the department.
372
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
Table 209: Fields on the Departments Page (continued)
Field
Description
VPN
Displays the VPN to which the department is assigned.
Description
Displays a description of the department.
Related
Documentation
•
Creating a Department on page 373
•
Modifying a Department on page 374
•
Deleting a Department on page 374
Creating a Department
You can create new departments from the Configuration > Shared Objects > Departments
page.
To create a department:
1.
Click the add icon (+) on the Departments page.
The Create Department page appears.
2. Complete the configuration settings according to the guidelines provided
inTable 210 on page 373.
Table 210: Fields on the Create Departments Page
Field
Description
Name
Enter a name for the department.
Description
Enter a description of the department.
VPN
Select a VPN to which you want to assign the department.
3. Click OK.
The new department is displayed on the Departments page.
Related
Documentation
•
About the Departments Page on page 372
•
Modifying a Department on page 374
•
Deleting a Department on page 374
Copyright © 2018, Juniper Networks, Inc.
373
Contrail Service Orchestration User Guide
Modifying a Department
You can modify a department on the Configuration > Shared Objects > Departments page.
To modify a department:
1.
Select a department and click the edit icon on the Departments page.
The Edit Department page appears.
2. Complete the configuration settings according to the guidelines provided
inTable 211 on page 374.
Table 211: Fields on the Edit Department Page
Field
Description
Name
Modify the name of the department, as needed.
Description
Modify the description of the department.
VPN
Select a VPN to which you want to assign the department.
3. Click OK.
The updated department is displayed on the Departments page.
Related
Documentation
•
About the Departments Page on page 372
•
Creating a Department on page 373
•
Deleting a Department on page 374
Deleting a Department
You can delete departments by clicking the delete icon (X) on the Departments page.
You can delete only one department at a time. You cannot delete a department if it has
policies associated with it or LAN segments assigned to it. Before you delete the
department, you must reassign the LAN segments assigned to that department.
To delete a department:
1.
Select the department that you want to delete.
2. Click the delete icon (X).
The Delete Department page appears.
3. Click OK to confirm deletion.
374
Copyright © 2018, Juniper Networks, Inc.
Chapter 37: Managing Shared Objects
The department is deleted.
Related
Documentation
•
About the Departments Page on page 372
•
Creating a Department on page 373
•
Modifying a Department on page 374
Copyright © 2018, Juniper Networks, Inc.
375
Contrail Service Orchestration User Guide
376
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 38
Managing Deployments
•
Deploying Policies Overview on page 377
•
About the Deployments Page on page 378
•
Using the Deployment Icon to Deploy Policies on page 379
•
Deploying Policies on page 380
Deploying Policies Overview
When you finish creating and verifying your security configurations, you can deploy these
configurations and keep them ready to be pushed to the security devices. CSO enables
you to push security configurations to the devices all at once by providing a single interface
that is intuitive.
The deployment workflow provides the ability to save and publish different services to
be updated at a later time to the appropriate firewalls (during downtime). This enables
administrators to review their firewall and NAT policies before updating the device.
Administrators also save troubleshooting time, avoid errors, and save costs associated
with errors. Verify and tweak your security configurations before updating them to the
device. This approach helps you keep the configurations ready and update these
configurations to the devices during the maintenance window.
When you deploy policies, the process takes into account the priority and precedence
values set on the policy and the order of rules on the device. Rules are published in the
order of their priority groups.
If you change the priority or precedence of a published policy, the policy must be
republished for the changes to take effect. Sometimes, changing priority or precedence
in one policy can affect other policies in the same priority group. However, such dependent
policies do not need to be republished in order for their changes in priority or precedence
to take effect. It will be enough if the policy which is updated is republished.
There are three ways in which you can view and deploy your security configurations:
•
Click on the deployment icon present in the CSO Customer Portal banner and use the
deployment panel that appears, to deploy policies. See “Using the Deployment Icon
to Deploy Policies” on page 379.
Copyright © 2018, Juniper Networks, Inc.
377
Contrail Service Orchestration User Guide
NOTE: The deployment icon is highlighted in orange if there are undeployed
configurations.
Related
Documentation
•
Use the Deployments page. See “About the Deployments Page” on page 378.
•
Select a firewall, NAT or SD-WAN policy from its respective landing pages and click
Deploy. For more information, see “Deploying Policies” on page 380.
•
Using the Deployment Icon to Deploy Policies on page 379
•
About the Deployments Page on page 378
•
Deploying Policies on page 380
About the Deployments Page
To access this page, click Configuration > Deployments.
Use this page to deploy or schedule the deployment of undeployed SD-WAN, NAT, and
firewall policies. Undeployed policies refer to newly created firewall policy rules or NAT
policies. These changes do not come into effect until the policies are deployed. The
Deploy page provides scheduling options for you to deploy these policies.
Tasks You Can Perform
You can perform the following task from this page:
•
Deploy a policy. See “Deploying Policies” on page 380.
Field Descriptions
Table 212 on page 378 provides guidelines on using the fields on the Deployments page.
Table 212: Fields on the Deployments Page
Field
Description
Awaiting
Deployment
The Awaiting Deployment tab displays all the policies that are awaiting deployment. The following fields
provide more information about the undeployed policies:
•
Name—Name of the policy that needs to be deployed.
•
Deployment Type—Type of the policy that needs to be deployed.
•
Summary—Description of the policy.
•
Owner—The tenant who has created the policy.
•
Last updated—The last time the policy was updated.
If you want to deploy a policy, select the policy and click Deploy. The policy is deployed and will no longer
appear in the Awaiting Deployment tab.
If you want to refresh the Awaiting Deployment tab, click the refresh icon provided below the details table.
378
Copyright © 2018, Juniper Networks, Inc.
Chapter 38: Managing Deployments
Table 212: Fields on the Deployments Page (continued)
Field
Description
Scheduled
The Scheduled tab displays all the policies that have been scheduled for deployment on a certain date and
time. The following fields provide more information about scheduled policies:
•
Name—Name of the policy.
•
Deployment Type—Type of the policy that needs to be deployed.
•
Summary—Description of the policy.
•
Schedule—The date and time at which the policy is scheduled to be deployed.
•
Status—Displays whether the scheduled policy has been deployed or not.
•
Next Run—Date and time when the scheduled deployments will be run.
If you want to deploy a scheduled policy immediately, select the policy and click Deploy Now. If you want to
modify the deployment schedule of a policy, select the policy and click the edit icon (pencil icon). The Deploy
page appears displaying the current scheduling information. See “Deploying Policies” on page 380, to update
the schedule.
History
The History tab displays all the policies that have been deployed. The following fields provide more information
about deployed policies:
•
Name—Name of the deployed policy.
•
Deployment Type—Type of the deployed policy.
•
Summary—Description of the policy.
•
Status–Displays the status of the deployed policy.
•
Job Details—Details of the job.
•
Deployed On—Date and time the policy was deployed.
If you want to redeploy a policy, select the policy and click Re-Deploy. The policy is redeployed and the History
tab details changes to reflect this information.
Related
Documentation
•
Deploying Policies Overview on page 377
•
Using the Deployment Icon to Deploy Policies on page 379
•
Deploying Policies on page 380
Using the Deployment Icon to Deploy Policies
CSO provides an option of viewing and deploying policies through the deployment panel,
that appears when you click on the deployment icon. The deployment icon is highlighted
in orange if there are undeployed policies.
To deploy policies through the deployment panel:
1.
Click the deployment icon on the Customer Portal banner.
The deployment panel appears. For information about the panel, see
Table 213 on page 380.
Copyright © 2018, Juniper Networks, Inc.
379
Contrail Service Orchestration User Guide
2. Hover over the policy you want to deploy. The Deploy option appears on the right side
of the policy.
3. Click Deploy to deploy the policy. For more information, see “Deploying Policies” on
page 380.
Table 213 on page 380 provides guidelines on using the fields on the deployment panel.
Table 213: Fields on the Deployment Panel
Field
Description
Awaiting
Deployment
The Awaiting Deployment tab displays all the policies that are awaiting deployment.
In Progress
The In Progress tab displays all the policies that are currently being deployed.
Related
Documentation
•
Deploying Policies Overview on page 377
•
About the Deployments Page on page 378
•
Deploying Policies on page 380
Deploying Policies
You can deploy NAT, firewall, and SD-WAN policies added by various services immediately
or schedule the deployment for a later date and time.
To configure a deployment:
1.
You can initiate the deployment of a policy in the following ways:
•
Select a policy from the Awaiting Deployment tab on the Deployments page and
click Deploy.
•
Select a policy from the Scheduled tab on the Deployments page and click Deploy.
•
Select a policy from the Scheduled tab on the History page and click Re-Deploy.
•
Click on the deployment icon on the Customer Portal banner. Hover over a policy
in the Awaiting Deployment tab; the Deploy option appears on the right side of the
policy. Click Deploy to deploy the policy. For more information on the deployment
panel, see “Using the Deployment Icon to Deploy Policies” on page 379.
NOTE: The deployment icon is highlighted in orange if there are
undeployed policies.
•
380
Click Configuration > Firewall > Firewall Policy. The Firewall Policy page appears,
displaying the intent associated with the policy. Click Deploy. All intents associated
with the firewall policy are deployed.
Copyright © 2018, Juniper Networks, Inc.
Chapter 38: Managing Deployments
•
Click Configuration > NAT > NAT Policies and select the NAT policy you want to
deploy. Click Deploy. All rules associated with that NAT policy are deployed.
•
Select an SD-WAN policy intent on the SD-WAN Policy page and click Deploy.
2. In Choose Deployment Time options, select Run Now to deploy the policy immediately.
Select Schedule at a later time to deploy the policy at a later date and time. For
scheduling options, see Table 214 on page 381.
3. Click Deploy to deploy the policy immediately or schedule it for later deployment.
Table 214 on page 381 provides guidelines on using the fields on the Deploy page.
Table 214: Fields on the Deploy Page
Field
Description
Summary
Policies
The summary of the policy that is to be deployed.
Choose Deployment Time
Type
•
Select Run now if you want to deploy the policy immediately
•
Select Schedule at a later time if you want to schedule the deployment for a later date and time.
Related
Documentation
•
Deploying Policies Overview on page 377
•
Using the Deployment Icon to Deploy Policies on page 379
•
About the Deployments Page on page 378
Copyright © 2018, Juniper Networks, Inc.
381
Contrail Service Orchestration User Guide
382
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 39
Managing Sites
•
About the Sites Page on page 383
•
Creating On-Premise Sites on page 384
•
Creating Cloud Sites on page 386
•
Configuring a Site by Uploading a JSON File on page 388
•
Managing a Single Site on page 389
•
Managing LAN Segments on a Tenant Site on page 390
•
Activating a CPE Device on page 392
•
Viewing the History of Device Activation Logs on page 394
•
Configuring a Site on page 395
•
Configuring VRFs and PNE Details for a Site in a Centralized Deployment on page 397
About the Sites Page
To access this page, click Sites > Site Management.
You can use the Sites page to view existing sites and to create on-premise sites and cloud
sites. You can also use this page to view site configuration and device activation
information.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View information about a site.
•
Configure a site by uploading a JSON file. Click Add > Site Upload, browse and locate
the JSON file, and click Import. See “Configuring a Site by Uploading a JSON File” on
page 388
•
View device activation logs. Click Device Activation Logs. See “Viewing the History of
Device Activation Logs” on page 107.
•
Create a cloud site. Click Add > Cloud Site. See “Creating Cloud Sites” on page 386.
•
Create an on-premise site. Click Add > On-Premise Site. See “Creating On-Premise
Sites” on page 384.
Copyright © 2018, Juniper Networks, Inc.
383
Contrail Service Orchestration User Guide
•
Delete a site. Select a site and click the delete icon (X).
•
Configure a site. Select a site and click Configure Site. See “Configuring a Site” on
page 395.
Field Descriptions
Table 215 on page 384 shows the descriptions of the fields on the Sites page.
Table 215: Fields on the Sites Page
Field
Description
Site Name
View the name of the tenant site.
Location
View the location of the tenant site.
Connected To
View the point of presence (POP) that the site is connected to.
State
View the current status of the tenant site. The following options are available:
•
Active
•
Provisioned
•
Failed
Device Status
View the device status. The status indicates whether or not a device is provisioned for
the site.
Role
View the role of the site. The role indicates whether the site is a hub site or a spoke site.
Active Services
View the number active services configured for the site.
Device Serial Number
View the serial number of the device that is provisioned for the site.
Related
Documentation
•
Creating Cloud Sites on page 386
•
Creating On-Premise Sites on page 384
Creating On-Premise Sites
An on-premise site can be on-premise hub or spoke site and is located in a CPE within
the tenant location. You create an on-premise site from the Sites page.
To create an on-premise site:
1.
Click Add and select On-Premise Site.
The Add Site for Tenant page appears.
2. Complete the configuration settings in the Site Information tab and the Connectivity
Requirements tab according to the guidelines provided inTable 216 on page 385. You
384
Copyright © 2018, Juniper Networks, Inc.
Chapter 39: Managing Sites
can review the configuration and modify the settings, if needed, from the Summary
Information tab.
Table 216: Fields on the Add On-Premise Site Page
Field
Description
Site Information
Site Name
Enter a site name.
Site Type
Select the site type—On-Premise hub or Spoke site.
Site Group
Select a site group to which you want to assign the site.
Street Address
Enter the street address of the site.
City
Enter the name of the city where the site is located.
State/Province
Select the state or province where the site is located.
ZIP/Postal Code
Enter the postal code for the site.
Country
Select the country where the site is located.
Connection Plan
Click a connection plan to select the plan for WAN
connectivity.
A connection plan contains information prepopulated
from the device template, and includes the device
information, list of SD-WAN features supported, and the
number of links supported.
Connectivity Requirements for the Selected Plan
WAN_0
Displays the WAN link. Depending the connection plan
selected, you can configure up to four WAN links per site
that support SD-WAN. You can configure these links as
MPLS or broadband links.
WAN_0 is enabled by default.
Type
Displays the link type of the WAN link-MPLS or Internet,
which is specified in the device profile.
Enable WAN_1
Select this check box to enable the WAN link.
Type
Displays the link type of the WAN link-MPLS or Internet,
which is specified in the device profile.
Add LAN Segment
Name
Enter a unique string of alphanumeric characters and some special characters (. -). No spaces are
allowed and the maximum length is 15 characters.
Copyright © 2018, Juniper Networks, Inc.
385
Contrail Service Orchestration User Guide
Table 216: Fields on the Add On-Premise Site Page (continued)
Port
Select a port number from the list. Depending on the device configured in the connection plan, you
can specify up to two port numbers.
IP Address Prefix
Enter one or more IPv4 prefixes for the site management network.
VLAN ID
Specify the VLAN ID that is associated with the MPLS data link in the range 1 through 4094.
DHCP
Enable or disable DHCP.
Enable DHCP to assign IP addresses by using a DHCP sever. Disable DHCP to assign static IP addresses.
By default, DHCP is disabled.
Subnet
Enter the subnet mask of the DHCP IP address pool.
Address Range Low
Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server to
the LAN segment.
Address Range High
Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server to
the LAN segment.
Maximum Lease Time
Specify the maximum duration of time (in seconds) for which a client can request for and hold a lease
on a DHCP server. You can enter a value in the range 0 through 4,294,967,295 seconds.
Name Server
Enter the IPv4 address of the DNS server. DNS servers are used for resolving host names to IP addresses.
Department
Select a department to which the LAN segment is to be assigned. Click Create Department to create
a new department and assign the LAN segment to it. You group LAN segments as departments for
ease of management and for applying policies at the department-level.
3. Click OK.
The newly created site is displayed on the Sites page.
Related
Documentation
•
About the Sites Page on page 383
Creating Cloud Sites
In a cloud site, customers access network services from the service provider’s cloud. You
create a cloud site from the Sites page. This page describes how to create a cloud site
for a tenant.
To create a cloud site:
1.
Click Add and select Cloud Site.
The Add Cloud Site page appears.
386
Copyright © 2018, Juniper Networks, Inc.
Chapter 39: Managing Sites
2. Complete the configuration settings in the Site Information, Configuration, and Service
Attachment Points sections according to the guidelines provided in
Table 217 on page 387.
Table 217: Fields on the Add Cloud Site Page
Field
Description
Site Information
Site Name
Enter a site name.
Cloud Hub Type
Select the cloud hub type—Regional Service Edge, Local Service Edge, or Cloud Hub. All
three hub types are hosted on a point of presence (POP). However, on a POP, you can
have only one hub type at a time.
Site Group
Select a site group to which you want to assign the site. You assign sites to a site group
to facilitate site management for a tenant.
Address
Street Address
Enter the street address of the site.
City
Enter the city where the site is located.
State/Province
Enter the state or province where the site is located.
ZIP/Postal Code
Enter the postal code for the site.
Contact Name
Enter the name of a contact person for the site.
E-mail
Enter the e-mail ID of the contact person.
Phone
Enter the phone number of the contact person.
Virtual Network Name
Enter a unique string of alphanumeric characters and some special characters (. -). No
spaces are allowed and the maximum length is 15 characters.
A virtual network is a representation of your own network in the cloud.
Configuration
Service POP
Select the name of the point of presence (POP) for the site. A network POP is a location
at which a service provider instantiates a network function, such as a virtualized network
function (VNF).
VIM
Select a virtualized infrastructure manager (VIM). The VIM controls and manages the
compute, storage, and network resources in the NFV infrastructure. The VIM also collects
and forwards performance measurements and events.
Resource Pool
Select a resource pool for the VIM. Resource pools identify the compute zones for the
VIM for the POP.
Route Target
Enter a route target for the virtual network.
Copyright © 2018, Juniper Networks, Inc.
387
Contrail Service Orchestration User Guide
Table 217: Fields on the Add Cloud Site Page (continued)
Field
Description
Service Attachment Points
Local Internet Breakout
Enable or disable Internet access to the site.
Left Subnet Prefix
Select one or more IPv4 prefixes for the management network.
Internet Network Name
Select the network to which the site transmits Internet traffic.
3. Click OK.
The newly created cloud site is displayed on the Sites page.
Related
Documentation
•
About the Sites Page on page 383
•
About the Site Groups Page on page 399
Configuring a Site by Uploading a JSON File
You can use the Site Upload page to configure a site by uploading a JSON file. To configure
a site by using the site upload feature, specify the site parameters in a JavaScript Object
Notation (JSON) file. You can also use the site upload feature to edit the configuration
information of a site. This method enables you to modify only the required parameters
without going through the site creation workflow.
TIP: You can download a sample JSON file from the Download Sample JSON
link and edit the parameters based on the requirements of the site that you
want to configure.
To configure a site by uploading a JSON file:
1.
Click Sites > Add > Site Upload.
The Site Upload page is displayed.
2. Click Browse and navigate to the directory that contains the JSON file.
Alternatively, download a sample JSON file by clicking the Download Sample JSON
link and edit the parameters according to the requirements of the site.
3. Select the file and click Open.
4. Click Import.
A success message is displayed indicating that the file is uploaded successfully.
388
Copyright © 2018, Juniper Networks, Inc.
Chapter 39: Managing Sites
Related
Documentation
•
About the Sites Page on page 383
Managing a Single Site
You can use the Site Management page to view the site details and to manage the site
configurations for a single site. To access the page, click Sites > Site Management >
Site-Name.
You can perform the following tasks from this page:
•
On the Overview tab, view detailed information about the tenant site, such as
geographical location, connection details, device details, alarms, and alerts.
•
On the WAN tab, view detailed information about the WAN links, such as topology of
the hub-site WAN links, total number of hub and spoke links, total number of
applications, link utilization details, link metrics based on throughput, and the maximum
bandwidth capacity of a WAN link in a site. Hover over the WAN link to view bandwidth
capacity.
•
On the Services tab, view services, deploy network services, start a service, and disable
services for a tenant site. You can also view the topology of the site.
To deploy a network service to a site, select the service, and then select an attachment
point in the topology graphic. Alternatively, drag and drop the network service to an
attachment point in the topology graphic.
•
•
Related
Documentation
•
On the Policies tab, view the following details:
•
List of all policies applicable to a tenant site. Click the policy name to view the rules
that are applicable for the tenant site. Click the edit icon at the end of the row to
edit a policy. You are taken to the Configuration > Policy page, where you can edit
the policies.
•
Details about the tenant user who last updated the policy.
•
Time when the policy was last updated.
•
Deployment status of the policy—deployed or not deployed.
•
Number of rules applicable to the site compared to the total number of rules
applicable to the tenant.
On the LAN tab, view, create, modify, deploy, and delete a LAN segment. In addition,
you can use this tab to reassign a LAN segment to a different department. See
“Managing LAN Segments on a Tenant Site” on page 390.
About the Sites Page on page 383
Copyright © 2018, Juniper Networks, Inc.
389
Contrail Service Orchestration User Guide
Managing LAN Segments on a Tenant Site
A network on a tenant site is divided into multiple LAN segments to improve traffic
management and security. A LAN segment is a small portion of a LAN that is used by a
wokgroup. A grouping of multiple LAN segments form a department. LAN segments are
separated by a bridge, router, or a switch.
You can view and manage LAN segments from the Sites > Site Management > Site Name
> LAN tab.
These topics describe how to manage LAN segments on a site.
•
Creating LAN Segments on page 390
•
Modifying LAN Segments on page 391
•
Deleting LAN Segments on page 391
Creating LAN Segments
You create LAN segments from the Sites > Site Management > Site Name page.
To create a LAN segment:
1.
Click the add icon (+) on the LAN tab.
2. Complete the configuration settings according to the guidelines provided in
Table 218 on page 390.
Table 218: Create LAN Segment Page
Field
Description
Name
Enter a unique string of alphanumeric characters and some special characters (. -). No spaces
are allowed and the maximum length is 15 characters.
Ports
Select a port number from the list. Depending on the device configured in the connection plan,
you can select up to two port numbers.
VLAN ID
Specify the VLAN ID that is associated with the MPLS data link.
DHCP
Enable or disable DHCP. Enable DHCP to assign IP addresses by using a DHCP sever. Disable
DHCP to assign static IP addresses. By default, DHCP is disabled.
Subnet
Enter the subnet mask of the DHCP IP address pool.
Address Range Low
Enter the starting IP address in the range of IP addresses that can be allocated by the DHCP server
to the LAN segment.
Address Range High
Enter the ending IP address in the range of IP addresses that can be allocated by the DHCP server
to the LAN segment.
Maximum Lease Time
Specify the maximum duration of time (in seconds) for which a client can request for and hold a
lease on a DHCP server. You can enter a value in the range 0 through 4,294,967,295 seconds.
390
Copyright © 2018, Juniper Networks, Inc.
Chapter 39: Managing Sites
Table 218: Create LAN Segment Page (continued)
Field
Description
Name Server
Enter the IPv4 address of the DNS server. DNS servers are used for resolving hostnames to IP
addresses.
Department
Select a department to which the LAN segment is to be assigned. You group LAN segments as
departments for ease of management and for applying policies at the department-level. To create
a new department and assign the LAN segment to it, click the Create Department link. See “Creating
a Department” on page 373.
NOTE: You must select at least one port, one IP address prefix, or one
VLAN ID.
3. Click OK.
The new LAN segment s displayed on the tenant site page.
Modifying LAN Segments
You can modify a LAN segments from the Sites > Site Management > Site Name page.
To modify a LAN segment:
1.
Select a LAN segment and click the edit icon on the LAN tab.
2. Modify the configuration settings, as necessary, according to the guidelines provided
in Table 218 on page 390.
3. Click OK.
The modified LAN segment is displayed.
Deleting LAN Segments
You can delete a LAN segments from the Sites > Site Management > Site Name page.
To delete a LAN segment:
1.
Select a LAN segment and click the delete icon (X) icon on the LAN tab.
The Delete LAN Segment page appears.
2. Click OK to confirm deletion.
The LAN segment is deleted.
Copyright © 2018, Juniper Networks, Inc.
391
Contrail Service Orchestration User Guide
Activating a CPE Device
You can activate SRX300 Services Gateway and NFX250 Network Services Platform
devices in the following ways:
•
By connecting a computer to the LAN port of the device and entering the activation
code through your browser
•
By specifying the activation code in Customer Portal
You can activate a vSRX Services Gateway device by copying the configuration available
in Customer Portal and pasting the configuration into the SRX Series device console. To
copy the configuration in Customer Portal, click Sites > Stage-1 Config.
To activate a device through your web browser:
1.
Connect a computer to the LAN port of the CPE device and power on the device.
Refer to the documentation for the CPE device for more information.
2. Open a Web browser in your computer.
Because the CPE device is preconfigured with a management address, the browser
displays the login page.
3. Enter the activation code that you have received during the shipping process.
4. Click OK.
On successful authentication, the Phone-Home server pushes the initial configuration
to the CPE device.
To activate a device through Customer Portal:
NOTE: If you activate the CPE device through Customer Portal, you do not
need to activate it through a browser.
1.
Log in to Customer Portal.
2. Click the Sites page in Customer Portal.
After you use Customer Portal to add a site that uses a CPE device, the CPE device
icon on the Sites page is gray if the device is inactive. When you hover over the CPE
device icon on the Monitor page, you should see the message Device Status: Expected,
which indicates that the device is ready to be activated. If you see the message Device
Status: Undefined, contact your service provider for assistance.
3. On the Device Status column, click Activate Device.
392
Copyright © 2018, Juniper Networks, Inc.
Chapter 39: Managing Sites
The Activate Device page appears. The Activate Device page consists of Device
Information and Device Activation.
4. On Device Information page, view the site details, device details, and recipient details,
and specify the activation code. For more information see, Table 219 on page 393.
5. Click Next.
On Device Activation page, the device is activated through the following steps:
•
Detecting the device
•
Applying stage-one configuration to the device
•
Bootstrapping of device
•
Activating the device
After each successful step, you can see a green check mark. If any of these steps fail,
a red exclamation mark appears.
6. After the activation process is complete, click OK.
The Sites page appears. To see the device activation status, hover over the device
icon on the Sites page. You see one of the following statuses:
•
EXPECTED—Device is ready for activation.
•
ACTIVE—Device is authenticated but not yet operational.
•
ACTIVATION_FAILED—Device is not authenticated.
•
GWR_SPAWNED—Device gateway component spawning is successful.
•
GWR_SPAWN_FAILED—Device gateway component spawning fails.
•
PROVISIONED—Device is operational.
•
PROVISION_FAILED—Device failed to become operational. Contact your service
provider for assistance.
Table 219: Fields on the Activate Device Page
Field
Description
Site Name & Type
View the name of the site on which the CPE device is activated.
Connected Hub
View the name of the hub to which the CPE device is connected.
Device Model
View the device model.
Serial Number
View the serial number of the CPE device.
Activation Code
Specify the activation code that your service provider supplied for the CPE device.
Copyright © 2018, Juniper Networks, Inc.
393
Contrail Service Orchestration User Guide
Table 219: Fields on the Activate Device Page (continued)
Field
Description
Expiry Duration
Specify how long you must wait to activate the device after it boots up. You can set
a duration in the range 1 through 600 seconds. The default is 120 seconds.
Recipient
View the recipient details.
Related
Documentation
•
http://www.juniper.net/documentation/en_US/release-independen
t/junos/information-products/pathway-pages/nfx-series/product/
•
About the Sites Page on page 383
•
Creating On-Premise Sites on page 384
•
Configuring a Site on page 395
Viewing the History of Device Activation Logs
You can use the ZTP History page to view the history of device activation logs. You can
also view the details of the activation logs and their status.
To view the device activation logs:
1.
Click Sites Device Activation Logs.
The ZTP History page is displayed. Table 64 on page 108 describes the fields on the
ZTP History page.
2. Click a task name.
The ZTP Logs page appears. Table 65 on page 108 describes the fields on the ZTP
Logs page.
3. Click the Task ID.
The Job Status page appears. Table 66 on page 108 describes the fields on the Job
Status page.
4. Click OK to return to the previous page.
Table 220: Fields on the ZTP History Page
Field
Description
In progress
View the number of activated tasks that are in progress.
Success
View the number of activated tasks that are successful.
Failure
View the number of activated tasks that have failed.
394
Copyright © 2018, Juniper Networks, Inc.
Chapter 39: Managing Sites
Table 220: Fields on the ZTP History Page (continued)
Field
Description
Name
View the name of the task.
Example:
csp.tssm_ztp-Juniper-site-17-NFX-250-8052cc9451914be28c7c98fb64fd0db3
Start Date
View the start date and time of the task.
End Date
View the end date and time of the task.
Status
View the status of the task to know whether the task succeeded or failed.
Log
View the import logs. Click a log to access more detailed information about
the imported log.
Table 221: Fields on the ZTP Logs Page
Field
Description
Task ID
View the ID created for the task.
Example: 3f9860ae-dd8f-4579-9357-29c42ab33a07/9
Status
View the status of the task to know whether the task succeeded or failed.
Table 222: Fields on the Job Status Page
Field
Description
Name
View the name of the task.
Actual Start Time
View the start date and time of the task.
User
View the name of the user who activated the task.
End Time
View the end date and time of the task.
State
View the status of the task to know whether the task succeeded or failed.
Related
Documentation
•
Activating a CPE Device on page 392
Configuring a Site
In Cloud CPE Solution Release 3.1, you can specify the underlay configuration of a hub
device by using the Configure Site feature on the Site Management page.
Copyright © 2018, Juniper Networks, Inc.
395
Contrail Service Orchestration User Guide
To configure a site:
1.
Click the Configure Site button on the Sites > Site Management page.
The Configure Site Site Name page is displayed.
2. Complete the configuration settings according to the guidelines provided in
Table 223 on page 396.
Table 223: Fields on the Configure Site Page
Field
Description
Management Region
Displays the regional server with which the CPE device communicates based on the
information in the device profile. This field cannot be modified.
Selected Plan
Displays the connection plan that you selected when you created the site. This field cannot
be modified.
Hub Site
Select the hub that the site should connect to.
Management Connectivity
VLAN ID
Specify the Operation, Administration, and Maintenance (OAM) VLAN ID for in-band
management of the site.
IP Prefix
Specify one or more prefixes for the site management network. You can specify IPv4 or
IPv6 addresses.
Example: 198.51.100.0/24
Gateway IP
Specify the IP address of the default route for the management network. You can use an
IPv4 or IPv6 address.
WAN Interface
Displays the interface name configured in the device profile. This field cannot be modified.
Link Type
Displays the link type (MPLS or Internet) configured in the device profile. This field cannot
be modified.
Address Assignment
Select the method of IP address assignment. Select DHCP to assign IP addresses by using
a DHCP sever or Static to assign a static IP address.
Traffic Type
Select the traffic type. You specify whether you want to use the WAN link to transmit only
data traffic or both management traffic and data traffic.
Tunnel Type
Select the tunnel type—IPsec or GRE and IPsec.
Peer Device
Displays the hub device to which the site is connected.
Interface Name
Select the name of the interface of the hub device to which the MPLS or Internet link is
connected.
Serial Number
Enter the serial number of the CPE device. Serial numbers are case-sensitive.
396
Copyright © 2018, Juniper Networks, Inc.
Chapter 39: Managing Sites
Table 223: Fields on the Configure Site Page (continued)
Field
Description
Activation Code
Enter the code to activate the device.
3. Click OK.
Related
Documentation
•
About the Sites Page on page 383
Configuring VRFs and PNE Details for a Site in a Centralized Deployment
If you use a physical network element (PNE) for a centralized deployment, you can use
the Device Configuration page to configure the virtual routing and forwarding instances
for your customer sites if you have not done so in Contrail and in Junos OS on the MX
Series router.
To configure a VRF and PNE details for a site:
1.
Click Sites.
The Sites page appears.
2. Select the site name.
3. Click More > Advanced Configuration.
The Device Configuration page appears.
4. Complete the configuration according to the guidelines provided in
Table 224 on page 397.
5. Click OK.
Table 224: Fields on the Device Configuration Page
Field
Description
Site VRF Name
Specify the name of the virtual routing and forwarding (VRF) instance
for the tenant.
Example: tenantA-VRF
Interface Name
Specify the MX Series router interface that connects to the customer
site. This value matches the interface that you configure for the MX
Series router physical network element (PNE).
Example: xe-2/2/2
Copyright © 2018, Juniper Networks, Inc.
397
Contrail Service Orchestration User Guide
Table 224: Fields on the Device Configuration Page (continued)
Field
Description
Interface VLAN
(Optional) Specify a valid VLAN identifier, which is an integer in the range
1 to 4094. Specifying a VLAN identifier enables VLAN tagging. If you do
not specify a value, the VLAN is untagged.
Example: 52
Interface Address
(Optional) Specify an IPv4 address with a network mask for the VLAN
interface.
Example: 192.0.2.16/24
Default Gateway
(Optional) Specify the IPv4 address for the default route for Internet
traffic.
Example: 192.0.2.20
Route Target
Specify the route target for the site. This value matches the route target
value that you configure for the MX Series router PNE.
Example: 64512:1102
Route Distinguisher
Specify a unique route distinguisher for the site. You can specify any
unique route distinguisher, such as the route target for the site.
Example: 64512:1102
Related
Documentation
398
•
Creating On-Premise Sites on page 384
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 40
Managing Site Groups
•
About the Site Groups Page on page 399
•
Creating Site Groups on page 400
About the Site Groups Page
To access this page, click Sites > Site Groups.
You can use the Site Groups page to view, create, and delete site groups for a tenant.
Site groups enable you to group sites logically, thereby easing site management. You
can use site groups to apply policies at the site group level.
You must be a Tenant Administrator user to access the Site Groups page.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View existing site groups. See “Viewing Object Details” on page 14.
•
Create site groups. See “Creating Site Groups” on page 400.
•
Edit site groups. Select a site group and click the edit icon.
•
Delete site groups. To delete a site group, select it on the Site Groups page and click
the delete (X) icon.
Field Descriptions
Table 225 on page 399 shows the descriptions of the fields on the Site Groups page.
Table 225: Fields on the Site Groups Page
Field
Description
Name
Displays the name of the site group.
Sites
Displays the names of the sites that are members of a site group.
Copyright © 2018, Juniper Networks, Inc.
399
Contrail Service Orchestration User Guide
Related
Documentation
•
Creating Site Groups on page 400
Creating Site Groups
You can use the Create Site Group page to create a new site group for a tenant and add
sites to it.
To create a site group:
1.
Click Sites > Site Groups.
The Site Groups page appears.
2. Click the add icon (+).
The Create Site Group page appears.
3. Enter a unique name for the site group.
4. From the list of sites in the Available column, select the sites that you want to include
in the new group and click the greater-than icon (>).
The selected sites are moved to the Selected column.
5. Click OK. If you want to discard your changes, click Cancel instead.
The new site group is displayed on the Site Groups page.
Related
Documentation
400
•
About the Site Groups Page on page 399
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 41
Reports
•
Reports Overview on page 401
•
About the Report Definitions Page on page 402
•
Performing Different Actions on Reports on page 403
•
About the Generated Reports Page on page 404
•
Creating Log Report Definition on page 405
•
Creating Bandwidth Report Definition on page 406
•
Editing and Deleting Log Report Definitions on page 407
•
Editing and Deleting Bandwidth Report Definitions on page 409
Reports Overview
Reports are generated based on the summary of network activity and overall network
status. You can use the predefined reports as-is, or you can build custom reports that
meet your needs for specific data.
Using reports, you can:
•
Schedule reports based on the defined filters..
•
Schedule reports based on the available default reports.
•
Generate daily, weekly, and monthly reports, and send e-mail notifications to defined
recipients.
•
Generate reports with multiple sections, where each section has its own criteria.
The generated report will have a table of contents (TOC) with links to each section of
the report. When the system generates a report, you and other designated recipients will
receive the report in PDF format through e-mail.
Reports enable you to perform trend analysis of your network's activities.
The following are the types of reports:
•
Log Based Reports—Allows you to schedule reports based on the default reports and
the default defined filters. You can also generate reports with different data criteria,
which includes filters, aggregation criteria, and time range.
Copyright © 2018, Juniper Networks, Inc.
401
Contrail Service Orchestration User Guide
•
Bandwidth Based Reports—Allows you to analyze the bandwidth usage of an application
or a user.
Related
Documentation
•
About the Report Definitions Page on page 402
•
About the Generated Reports Page on page 404
About the Report Definitions Page
To access this page, click Customer Portal > Reports.
The Report Definitions page shows a list of predefined and custom reports. You can use
the predefined reports as-is, or you can build custom reports.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create a log report definition. See “Creating Log Report Definition” on page 405.
•
Create a bandwidth report definition. See “Creating Bandwidth Report Definition” on
page 406.
•
You can also edit, run, and clone reports. See “Performing Different Actions on Reports”
on page 403.
Field Descriptions
Table 226 on page 402 provides guidelines on using the fields on the Report Definitions
page.
Table 226: Fields on the Report Definitions Page
Field
Description
Name
View the name of the report (user created or predefined).
Example: Top Destination Countries
Description
View the description of the report definition.
Example: Report for Top Destinations by Countries
Type
View the type of report definition used such as bandwidth
report or log report.
Example: BANDWIDTH
Definition Type
View the type of report definition.
Example: PREDEFINED
Report Content
402
View the details of the sections in the report. For example, Top
Applications, Top Applications Blocked, Top Roles, and so on.
Copyright © 2018, Juniper Networks, Inc.
Chapter 41: Reports
Table 226: Fields on the Report Definitions Page (continued)
Field
Description
Schedule
View the report generation schedule whether to run the report
immediately or schedule it for a later date and time.
Recipients
View the recipients of the generated reports.
Last Generated
View the time when the last report was generated if the report
is scheduled at a later time.
Job ID
View the Job ID of the report.
Related
Documentation
•
Reports Overview on page 401
•
Creating Log Report Definition on page 405
•
Creating Bandwidth Report Definition on page 406
Performing Different Actions on Reports
You can perform various actions on reports such as running a report immediately, editing
a schedule, editing e-mail recipients, previewing a report in PDF, sending reports, and
cloning reports.
To perform these actions on the report:
1.
Select Reports > Report Definitions.
2. Select the report definition or right-click the report definition or click the More
drop-down list.
3. Select the appropriate action from the drop-down list:
•
Delete Report—You can select one or more report definitions and click the delete
icon (X) to delete the report definition (s).
•
Run Now—Runs the report immediately and provides a link to view the report in PDF
format. You can view the archived reports by clicking the Generated Reports link on
the left navigation pane.
This option is also available as the Run Now button on the Report Definitions page.
•
Preview as PDF—Provides the PDF preview of the report.
•
Send Report—Sends the report through e-mail to the recipient immediately. The
user receives a notification once the report is sent. The user can also use the job ID
to see more details of the job.
•
Edit Schedule—Allows user to edit the schedule such as adding a recurrence, start
date, end date, and time.
Copyright © 2018, Juniper Networks, Inc.
403
Contrail Service Orchestration User Guide
•
Edit Recipients—Allows user to edit or add the recipients, e-mail address, subject,
and comments.
•
Clone— Allows the user to clone an existing report definition.
Related
Documentation
About the Generated Reports Page
To access this page, click Customer Portal > Reports > Generated Reports.
Use this page to view the list of reports that are generated from the Report Definitions
page. You must click on the report to view the report in PDF format.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Delete the generated report.
•
Open the generated report.
Field Descriptions
Table 227 on page 404 provides guidelines on using the fields on the Generated Reports
page.
Table 227: Fields on the Generated Reports Page
Field
Description
Report PDF Name
View the name of the report (user created or predefined).
Generated Time
View the date and time when the report was generated.
Description
View the description of the report.
Definition Name
View the name of the report definition.
Generated By
View the name of who generated the report.
Recipients
View the recipients of the generated reports.
Related
Documentation
404
•
Reports Overview on page 401
•
About the Report Definitions Page on page 402
Copyright © 2018, Juniper Networks, Inc.
Chapter 41: Reports
Creating Log Report Definition
You can use this page to create log report definitions. Log-based reports help you to
schedule reports based on default reports and default defined filters. You can also
generate reports with additional data criteria, including filters, aggregation criteria, and
time range.
1.
Select Reports > Report Definitions.
The Report Definitions page appears.
2. Click Create > Log Report Definitions.
The Create Log Report Definition page appears.
3. Complete the configuration according to the guidelines provided in
Table 228 on page 405.
4. Click OK to save the log report definition. If you want to discard your changes, click
Cancel instead.
Table 228: Fields on the Create Log Report Definition Page
Field
Description
General
Report Name
Enter a unique name for the report definition that is a string of alphanumeric characters, colons,
periods, dashes, and underscores. No spaces are allowed and the maximum length is 29 characters.
Description
Enter a description for the report definition; maximum length is 1024 characters.
Content
Use Data Criteria from
Filters
Click Use Data Criteria from Filters.
Select the data criteria from the list of default and user--created filters that are saved from the
Events and Logs page.
The details of the filters displayed are:
•
Filter Name—Name of the filter.
•
Filter Description—Description of the filter.
•
Group By—Selected Group By option.
•
Time Span—Duration for which the data is displayed.
•
Filter By—List of default and user-created filters.
NOTE: The default time stamp value is the last 3 hours.
Schedule
Copyright © 2018, Juniper Networks, Inc.
405
Contrail Service Orchestration User Guide
Table 228: Fields on the Create Log Report Definition Page (continued)
Field
Description
Add Schedule
Click Add Schedule.
Select the type of report schedule that you want to use:
•
Run now—Select this option to schedule and publish the configuration at the current time.
•
Schedule at a later time—Select this option if you want to schedule and publish the configuration
at a later time.
E-Mail
Add E-Mail Recipients
Click Add E-mail Recipients.
•
Recipients—Enter or select the e-mail addresses of the recipients. By default, you can search by
first name and select registered users. You can also type in external e-mail addresses.
•
Subject—Enter the subject for the e-mail notification.
•
Comment—Enter the comments for the e-mail notification.
NOTE: The reports are not sent if a specified recipient does not have permission for a device or
domain included in the report configuration when the report is generated.
Related
Documentation
•
About the Report Definitions Page on page 402
•
Creating Bandwidth Report Definition on page 406
Creating Bandwidth Report Definition
You can use this page to create bandwidth report definitions. Bandwidth reports helps
in analyzing the bandwidth usage of an application or a user. It gives you important
information on bandwidth usage and helps you identify top applications and top users
consuming bandwidth.
1.
Select Reports > Report Definitions.
2. Click Create > Bandwidth Report Definitions.
The Create Bandwidth Report Definition page appears.
3. Complete the configuration according to the guidelines provided in
Table 229 on page 407.
4. Click OK to save the log report definition. If you want to discard your changes, click
Cancel instead.
406
Copyright © 2018, Juniper Networks, Inc.
Chapter 41: Reports
Table 229: Fields on the Create Bandwidth Report Definition Page
Field
Description
General
Report Name
Enter a unique name for the report definition that is a string of alphanumeric characters, colons,
periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.
Description
Enter a description for the report definition; maximum length is 1024 characters.
Content
Show Top
Specify the number of top events to be displayed. The value ranges from 1-20. The default value
is 10.
Last
Specify the time period to generate the report from the last 3, 6, 12, or 24 hours.
Schedule
Add Schedule
Click Add Schedule.
Select the type of report schedule that you want to use:
•
Run now—Select this option to schedule and publish the configuration at the current time.
•
Schedule at a later time—Select this option if you want to schedule and publish the configuration
at a later time.
E-Mail
Add E-Mail Recipients
Click Add E-mail Recipients.
•
Recipients—Enter or select the e-mail addresses of the recipients. By default, you can search by
first name and select registered users. You can also type in external e-mail addresses.
•
Subject—Enter the subject for the e-mail notification.
•
Comment—Enter the comments for the e-mail notification.
NOTE: The reports are not sent if a specified recipient does not have permission for a device or
domain included in the report configuration when the report is generated.
Related
Documentation
•
About the Report Definitions Page on page 402
•
Editing and Deleting Log Report Definitions on page 407
•
Editing and Deleting Bandwidth Report Definitions on page 409
Editing and Deleting Log Report Definitions
You can edit and delete log report definitions. This topic contains the following sections:
•
Editing the Log Report Definition on page 408
•
Deleting Log Report Definitions on page 408
Copyright © 2018, Juniper Networks, Inc.
407
Contrail Service Orchestration User Guide
Editing the Log Report Definition
To edit the log report definition:
1.
Select Reports > Report Definitions.
The Report Definitions page appears.
2. Select the check box of the log report definition that you want to modify, and click
the edit icon.
The Edit Log Report Definition page appears. The options available on the Create Log
Report Definition page are available for editing.
3. Update the configuration as needed.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
Deleting Log Report Definitions
You can clear all unwanted report definitions that are not used anywhere in your network.
Use the delete icon (X) in the top right corner of a page to delete one or more log report
definitions.
NOTE: You can delete only custom log report definitions.
To delete log report definition:
1.
Select Reports > Report Definitions.
The Report Definitions page appears.
2. Select the log report definition or right click on the report definition that you want to
delete and click the delete icon (X).
The Confirm Delete page appears.
3. Click Yes to delete the log report definition or No to cancel the deletion.
The log report definition is deleted from the main page.
Related
Documentation
408
•
About the Report Definitions Page on page 402
•
Creating Log Report Definition on page 405
Copyright © 2018, Juniper Networks, Inc.
Chapter 41: Reports
Editing and Deleting Bandwidth Report Definitions
You can edit and delete bandwidth report definitions. This topic contains the following
sections:
•
Editing the Bandwidth Report Definition on page 409
•
Deleting Bandwidth Report Definitions on page 409
Editing the Bandwidth Report Definition
To edit the bandwidth report definition:
1.
Select Reports > Report Definitions.
The Report Definitions page appears.
2. Select the check box of the log report definition that you want to modify, and click
the edit icon.
The Edit Bandwidth Report Definition page appears. The options available on the
create bandwidth report definition page are available for editing.
3. Update the configuration as needed.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
Deleting Bandwidth Report Definitions
You can clear all unwanted report definitions that are not used anywhere in your network.
Use the delete icon (X) in the top right corner of a page to delete one or more log report
definitions.
NOTE: You can delete only custom bandwidth report definitions.
To delete bandwidth report definition:
1.
Select Reports > Report Definitions.
The Report Definitions page appears.
2. Select the bandwidth report definition or right click on the report definition that you
want to delete and click the X icon.
The Confirm Delete page appears.
3. Click Yes to delete the bandwidth report definition or No to cancel the deletion.
The bandwidth report definition is deleted from the main page.
Copyright © 2018, Juniper Networks, Inc.
409
Contrail Service Orchestration User Guide
Related
Documentation
410
•
About the Report Definitions Page on page 402
•
Creating Bandwidth Report Definition on page 406
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 42
Managing Tenant Users
•
Role-Based Access Control Overview on page 411
•
About the Tenant Users Page on page 412
•
Adding Tenant Users on page 413
•
Editing and Deleting Tenant Users on page 414
Role-Based Access Control Overview
Contrail Service Orchestration supports the authentication and authorization of users.
Both MSP and tenant users access the pages within the unified Administration and
Customer Portal based on their role and access permissions.
Table 114 on page 187 shows MSP and Tenant roles and their access privileges.
Table 230: Roles and Access Privileges
Role
Access Privileges
MSP Administrator
Users with the MSP Administrator role have full access to the Administration Portal UI or API
capabilities. They can use the UI or APIs to add one or more users with MSP Administrator or
MSP Operator roles, onboard tenants, and add the first tenant administrator during the onboarding
process. They can also add tenant administrators or operators by switching the scope to a specific
tenant.
MSP Operator
Users with the MSP Operator role have read-only access to the Administration Portal UI and
APIs.
Tenant Administrator
Users with the Tenant Administrator role have full access to the Customer Portal UI and APIs.
They can add one or more users with the Tenant Administrator or Tenant Operator roles.
Tenant Operator
Users with the Tenant Operator role have read-only access to the Customer Portal UI and APIs.
Related
Documentation
•
About the Tenant Users Page on page 412
Copyright © 2018, Juniper Networks, Inc.
411
Contrail Service Orchestration User Guide
About the Tenant Users Page
To access this page, click Administration > Users.
Use the Users page to add, edit, and delete users for a tenant. You can also assign roles
to tenant users. The MSP Administrator, MSP Operator, Tenant Administrator, and Tenant
Operator can access the Users page for tenants. The MSP Administrator and the MSP
Operator can switch from all-tenants scope to specific-tenant scope. To know more
about tenant users roles and access permissions, see “Role-Based Access Control
Overview” on page 187.
The information listed on the Users page changes depending on the authentication mode
configured:
•
Local Authentication —The Users page lists tenant-specific local users that you can
add, edit, and delete.
•
Authentication with SSO Server—The Add User page does not display the password
field because you can assign a role only to an external user.
•
Authentication and Authorization with SSO Server—The Users page is not displayed
because users are externally managed in the single sign-on (SSO) server.
Tasks You Can Perform
The tenant administrator can perform the following tasks from this page:
•
Add a tenant user. See “Adding Tenant Users” on page 413.
•
Edit and delete a tenant user. See “Editing and Deleting Tenant Users” on page 414.
Field Descriptions
Table 231 on page 412 provides guidelines on using the fields on the Users page.
Table 231: Fields on the Users Page
Field
Description
Username
Username of the tenant user.
Example: abc@example.com
First Name
First name of the tenant user.
Last Name
Last name of the tenant user.
Role
Role assigned to the tenant user.
Example: Tenant Operator
412
Copyright © 2018, Juniper Networks, Inc.
Chapter 42: Managing Tenant Users
Table 231: Fields on the Users Page (continued)
Field
Description
Last Login
Date and time of the last login. The format is MM/DD/YYYY HH:MIN.
Example: 07/22/2017 20:07
Related
Documentation
•
Adding Tenant Users on page 413.
•
Editing and Deleting Tenant Users on page 414.
•
Switching the Tenant Scope on page 213
Adding Tenant Users
Use this page to add tenant users and assign roles to users. After the tenant administrator
adds the user, the user account is created in the Contrail Service Orchestration (CSO)
and the user receives an e-mail with initial login credentials.
NOTE: Users with the Tenant Operator role have read-only access to the
Customer Portal and APIs, and they cannot add new users.
To add a tenant user:
1.
Select Administration > Users.
The Users page appears.
2. Click the add icon (+) or click Add User.
The Add User page appears.
3. Complete the configuration as described in Table 232 on page 413.
4. Click OK to save the changes. If you want to discard the changes, click Cancel instead.
The tenant user account is created in CSO.
Table 232: Fields on the Add User Page
Field
Description
First Name
Enter the first name as a string of alphanumeric characters and the special characters space,
underscore (_), or period (.). The maximum length is 32 characters.
Last Name
Enter the last name as a string of alphanumeric characters and the special characters space,
underscore (_), or period (.). The maximum length is 32 characters.
Copyright © 2018, Juniper Networks, Inc.
413
Contrail Service Orchestration User Guide
Table 232: Fields on the Add User Page (continued)
Field
Description
Username (E-mail)
Enter a valid e-mail address in the user@domain format.
Role
Select the role—Tenant Operator (default) or Tenant Administrator—that you want to assign to
the user.
•
Tenant Administrator—Users with the Tenant Administrator role have full access to the Customer
Portal UI and APIs. They can add one or more users with Tenant Administrator or Tenant Operator
roles.
•
Tenant Operator—Users with the Tenant Operator role have read-only access to Customer Portal
UI and APIs.
Password
Enter a password that is 6–21 characters long, contains uppercase and lowercase letters, and at
least one number, and one special character.
Confirm Password
Reenter the password.
Related
Documentation
•
About the Tenant Users Page on page 412
•
Editing and Deleting Tenant Users on page 414
Editing and Deleting Tenant Users
You can edit tenant users’ information and delete one or more tenant users.
NOTE: Users with the Tenant Operator role have read-only access to the
Customer Portal and APIs, and they cannot edit and delete users.
•
Editing Tenant Users on page 414
•
Deleting Tenant Users on page 415
Editing Tenant Users
To modify a tenant user:
1.
Select Administration > Users.
The Users page appears.
2. Select the user that you want to modify, and click the edit icon.
The Edit User page appears. The options available on the Add User page are available
for editing.
NOTE: You cannot modify the Username (E-mail) field.
414
Copyright © 2018, Juniper Networks, Inc.
Chapter 42: Managing Tenant Users
3. Update the configuration as needed.
4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
The modified tenant user information is saved in CSO.
Deleting Tenant Users
To delete tenant users:
1.
Select Administration > Users.
The Users page appears.
2. Select the users that you want to delete and click the delete icon (X).
The Confirm Delete page appears.
3. Click Yes to delete the user or No to cancel the deletion.
If you click Yes, then the user is deleted and the user account is removed from the
CSO.
Related
Documentation
•
About the Tenant Users Page on page 412
•
Adding Tenant Users on page 413
Copyright © 2018, Juniper Networks, Inc.
415
Contrail Service Orchestration User Guide
416
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 43
Licenses
•
About the Licenses Page on page 417
About the Licenses Page
To access this page, click Administration > Licenses.
You can use the Licenses page to view information about uploaded licenses for virtual
network services from your local file system. The license key is required to enable
application-based routing, application monitoring, and other vSRX security features.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View details about a license. Click the details icon that appears when you hover over
the name of an image or click More > Details. See “Viewing Object Details” on page 223.
•
Show or hide columns about the license. See “Sorting Objects” on page 223.
•
Search an object about the license. See “Searching for Text in an Object Data Table”
on page 224.
Field Descriptions
Table 233 on page 417 describes the fields on the License Files page.
Table 233: Fields on the License Files Page
Field
Description
License Name
View the filename of the license.
Example: license_Image_v1
Build
View the build name of the license.
Example: 1
Version
View the version number of the license.
Example: 1.1
Copyright © 2018, Juniper Networks, Inc.
417
Contrail Service Orchestration User Guide
Table 233: Fields on the License Files Page (continued)
Field
Description
Vendor
View the vendor name of the license.
Example: Juniper Networks
Family
Select the device family of the license.
Example: SRX
Model
View the model number of the license.
Example: 1
Description
View the description of the license.
Example: The license is applicable for SRX340 device.
Uploaded By
View the administrator who uploaded the license.
Example: test_admin
Last Uploaded
View the date and time when the license was uploaded.
Example: 11/18/2016 19:15
Related
Documentation
418
•
Viewing Object Details on page 14
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 44
Signature Database
•
Signature Database Overview on page 419
•
About the Active Database Page on page 420
•
Installing Signatures on page 421
Signature Database Overview
The Application Firewall signature database includes signature definitions of attacks
and applications that can be used to identify applications for tracking firewall policies
and quality-of-service (QoS) prioritization.
Contrail Service Orchestration (CSO) enables you to download the signature database.
During a download, the complete signature database is downloaded, and the download
might take some time to complete. You can track the progress of the download by using
job details.
All of the downloaded signatures are created as a default project in read-only mode. The
configurations that are downloaded are also saved as a default project.
Related
Documentation
•
About the Active Database Page on page 420
•
Installing Signatures on page 421
Copyright © 2018, Juniper Networks, Inc.
419
Contrail Service Orchestration User Guide
About the Active Database Page
To access this page, select Administration > Signature Database. The Active Database
page appears.
Use the Active Database page to download and install the Application Firewall signature
database to security devices. This database includes signature definitions of attacks and
applications that can be used to identify applications for tracking firewall policies,
SD-WAN flows, and QoS prioritization.
Tasks You Can Perform
You can perform the following task from this page:
•
Install signatures. See “Installing Signatures” on page 421.
Field Descriptions
The Active Database page provides an overall, high-level view of your signature database
settings. The Latest List of Signatures table provides a search option that you can use to
search for the signature you want. Table 234 on page 420 describes the fields on this page.
Table 234: Fields on the Active Database Page
Field
Description
Active Database
Database Version
Version of signature database.
Publish Date
Date when the signature database was published.
Update Job
Job ID of the last successful download signatures job.
Installed Device Count
Number of devices installed.
Detectors
Version number of the protocol detector currently running on the device.
Action
Install signature database configuration.
Latest List of Signatures
Database Version
Version of latest signature database.
Publish Date
Date when the signature database was published.
Update Summary
List of updated signature details for the selected database.
Detectors
Version number of the protocol detector currently running on the device.
Action
Full Download–Download the complete signature database; the download might
take a while to complete.
420
Copyright © 2018, Juniper Networks, Inc.
Chapter 44: Signature Database
Related
Documentation
•
Signature Database Overview on page 419
•
Installing Signatures on page 421
Installing Signatures
After the signature database is downloaded, you can install the active database.
To install the signature database:
1.
Select Administration > Signature Database.
2. Click Install Signatures.
The Install Signatures page appears.
3. You can view the summary of active signature database version, which will be installed
on your device.
4. Click the check box next to the devices on which you want to install the signature
database.
You can also search, sort, or filter this information.
5. Select Run now to set the signature database to automatically install immediately.
6. Select Schedule at a later time to set the signature database to automatically download
at the specified time and to take the following actions:
a. Choose a date by clicking the date picker icon.
b. Enter the time.
c. Select the time format from the drop-down list.
7. Click OK.
The signature database installation is complete.
Related
Documentation
•
Signature Database Overview on page 419
•
About the Active Database Page on page 420
Copyright © 2018, Juniper Networks, Inc.
421
Contrail Service Orchestration User Guide
422
Copyright © 2018, Juniper Networks, Inc.
PART 3
Designer Tools
•
Configuration Designer on page 425
•
Resource Designer on page 443
•
Network Service Designer introduction on page 463
•
Creating Requests for Network Services on page 465
•
Creating Network Services on page 473
•
Managing Network Services on page 495
Copyright © 2018, Juniper Networks, Inc.
423
Contrail Service Orchestration User Guide
424
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 45
Configuration Designer
•
Configuration Designer Overview on page 425
•
Accessing the Configuration Designer on page 427
•
Using the Configuration Designer on page 427
•
Changing Your Password on page 428
•
About the Requests Page for the Configuration Designer on page 429
•
Creating Requests for Configuration Templates on page 430
•
Designing Templates with a YANG Configuration on page 431
•
Designing Templates with a Configuration on page 434
•
Publishing Configuration Templates on page 438
•
About the Designs Page for the Configuration Designer on page 439
•
Cloning Configuration Templates on page 441
•
Deleting Configuration Template Designs on page 441
Configuration Designer Overview
Configuration Designer, Resource Designer, and Network Service Designer are visual
designer tools used by the Juniper Networks Cloud CPE solution for smooth onboarding.
The tools offer network designers a convenient way of bringing virtualized network
functions (VNFs) from Juniper Networks and third-party companies into the network
services catalog using a graphical user interface (GUI).
Configuration Designer provides an intuitive UI-based workflow for creating and managing
configuration templates. These templates are rendered automatically in a GUI format
that can be used as is by Resource Designer. Resource Designer uses these templates
to create VNF packages that are then published to Network Service Designer.
Network Service Designer uses the VNF packages to design customized network services
that are published to the network services catalog. The network services catalog contains
a list of usable network services. Service provider administrators access the network
services catalog to assign a set of network services to their customers using the
Administration Portal. Finally, customer administrators access the network services
assigned to them using a Customer Portal to manage their sites and services.
Figure 1 on page 426 shows a Configuration Designer and its workflow.
Copyright © 2018, Juniper Networks, Inc.
425
Contrail Service Orchestration User Guide
Figure 1: Configuration Designer Workflow
Your
data
model
or
Your
working
configuration
Configuration
Designer
Service provider
administrator
Configuration
parameterization
Configuration
templates
Administration
Portal
Resource
Designer
Network
Service
Designer
Customized
network services
Customer
Portal
g043577
Customer
administrator
VNF packages
Network services catalog
Configuration Designer creates templates based on a simple concept of configuration
parameterization. Parameterization facilitates the creation of versatile configuration
templates that can be easily used for different configurations. It provides variables and
parameters that you can substitute with actual values. For example, if you were to deploy
an instance of a nonparmeterized template—with fixed IP addresses specified for a
network interface—in a second deployment you would have to delete the first instance
or it would lead to an error. However, in a parameterized template you would simply
specify the required values for the provided parameters.
A configuration template has prepopulated values for configuration settings associated
with a virtualized network function (VNF).The configuration in the templates can be of
the following types:
•
Device-level base configurations, such as an interface configuration
•
Service configurations, such as a firewall policy configuration
•
Monitoring configurations, such as a CLI, SNMP, or other monitoring command
configuration
In Configuration Designer, you can manually type a working configuration or copy and
paste an existing golden configuration from your device. You can also use your own data
model to configure your template. Once created, the templates are listed on a Design
page, where you can review them at a glance. You can also modify the parameters and
values of your templates as needed from the Design page.
The configuration templates can be used by:
•
Network designers to create a day 0 configuration or default parameters in the Resource
Designer. For example, they can enter interface information.
•
Your customer administrators or end users (using the Customer Portal):
•
426
On Day 1 they can customize their services during VNF instantiation. For example,
they can enter IP addresses for a given site.
Copyright © 2018, Juniper Networks, Inc.
Chapter 45: Configuration Designer
On Day 2 they can update a configuration of existing instances. For example, they
can configure their network to block social media.
•
Related
Documentation
•
Accessing the Configuration Designer on page 427
•
Changing Your Password on page 428
•
Using the Configuration Designer on page 427
Accessing the Configuration Designer
To access the Configuration Designer:
1.
Review the OpenStack keystone username and password that you defined.
•
For a centralized deployment, you can view these settings on the Contrail configure
and control node in the files /etc/contrail/keystonerc and /etc/contrail/openstackrc.
•
For a distributed deployment, you can view these settings on the central
infrastructure node in the file /etc/keystone/keystonerc.
•
The default username is cspadmin and the default password is passw0rd.
2. Using a Web browser, access the URL for the Configuration Designer.
For example, if the IP address of the host on which the Configuration Designer resides
is 192.0.2.1, the URL would be https://192.0.2.1:83/cd-ui/index.html.
3. Log in with the OpenStack Keystone username and password.
Related
Documentation
•
Configuration Designer Overview on page 425
Using the Configuration Designer
Use the Configuration Designer to create a configuration template or modify an existing
one. Follow these steps to get started with the Configuration Designer:
•
Learn about the Configuration Designer. See “Configuration Designer Overview” on
page 425.
•
Log into the Configuration Designer. See “Accessing the Configuration Designer” on
page 427.
To create a configuration template:
1.
Create a request for a configuration template. See “Creating Requests for Configuration
Templates” on page 430.
2. Design a configuration template. You can design a configuration template using one
of these methods:
Copyright © 2018, Juniper Networks, Inc.
427
Contrail Service Orchestration User Guide
•
Using a data model. Choose this method when you already have a data model for
your configuration template. See “Designing Templates with a YANG Configuration”
on page 431.
•
Using your working configuration. Choose this method when you have a Jinja
template but want the Configuration Designer to generate a data model for your
configuration template. See “Designing Templates with a Configuration” on page 434.
3. Publish the configuration template to the Network Service Designer. See “Publishing
Configuration Templates” on page 438.
Related
Documentation
•
Configuration Designer Overview on page 425.
Changing Your Password
Some of the Contrail Service Orchestration components—such as Administration Portal,
Configuration Designer, Resource Designer, and Network Service Designer—have a
common password. When you change the password from any of these GUIs, the new
password is saved in Contrail and applies to all the GUIs.
To change your password:
1.
Click the administrative username located at the right side of the top banner.
A drop-down list appears.
2. Click Change Password.
The Change Password page appears.
3. Change your password following the guidelines provided in Table 235 on page 428.
4. Click OK.
You are logged out of the system. To log in to the GUI again, you must use your new
password. Other sessions logged in with the same username are unaffected until the
next login.
Table 235: Fields on the Changing Password Page
Field
Description
Current Password
Enter your existing password.
428
Copyright © 2018, Juniper Networks, Inc.
Chapter 45: Configuration Designer
Table 235: Fields on the Changing Password Page (continued)
Field
Description
New Password
Enter your new password.
The minimum character length for this field is 6 (the default) and the maximum is 21. The
password can include alphanumeric and special characters, but not control characters. The
password strength indicator displays the efficiency of the password that you entered.
NOTE: You cannot proceed to the next step if the password strength indicator shows that the
password is weak.
Confirm Password
Reenter the password for confirmation.
You can select the Show Password option to view the password.
Related
Documentation
•
Administration Portal Overview on page 4
•
Configuration Designer Overview on page 425
•
Resource Designer Overview on page 443
•
Network Service Designer Overview on page 463
About the Requests Page for the Configuration Designer
To access this page, click Home> Requests.
You can use the Requests page to request a new configuration template. A configuration
template has prepopulated values for configuration settings associated with a virtualized
network function (VNF). By using a configuration template for a network service, you can
avoid having to manually configure settings for each service.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create a request for a configuration template. See “Creating Requests for Configuration
Templates” on page 430.
•
Design a new configuration template using a predefined working configuration. In this
method, the Configuration Designer generates the data model. See “Designing
Templates with a Configuration” on page 434.
•
Design a new configuration template using the YANG model. See “Designing Templates
with a YANG Configuration” on page 431.
Field Descriptions
Table 236 on page 430 provides guidelines on using the fields on the Requests page for
the Configuration Designer.
Copyright © 2018, Juniper Networks, Inc.
429
Contrail Service Orchestration User Guide
Table 236: Fields on the Requests Page for the Configuration Designer
Field
Description
Requests Page
New Template
Click to request a new configuration template.
The New Template page allows you to define the requirements for your configuration
template.
Configuration Template Request
Begin with config
Click to design a new configuration template using a predefined working configuration.
Select this method if you have the Jinja2 configuration but need the Configuration Designer
to generate a data model for your configuration template.
Begin with YANG
Click to design a configuration template using an existing data model.
Select this method if you already have the Jinja2 (a template engine for Python)
configuration and the data model for your configuration template.
Delete
Related
Documentation
Click to delete a configuration template request.
•
Configuration Designer Overview on page 425
•
Using the Configuration Designer on page 427
Creating Requests for Configuration Templates
You can create a configuration template by first making a request for it. A request allows
you to define the requirements for the configuration template, including the template
format, vendor, and the supported device family.
To create a request for a configuration template:
1.
Click Home > Requests > New Template.
2. Complete the configuration according to the guidelines provided in
Table 237 on page 431.
3. Click Create.
A new template request is created.
430
Copyright © 2018, Juniper Networks, Inc.
Chapter 45: Configuration Designer
Table 237: Fields on the New Template Page
Field
Description
Name
Specify a name for your configuration template. Only a string of alphanumeric characters, dashes, and
spaces are accepted.
Example: ucpe-SRX DPI config
Description
Enter a description for your configuration template. Make this description as clear and useful as possible
for all administrators.
Example: NFX JCP configuration to restore default route from LAN to WAN. This configuration is pushed
to JCP after the service chain is deleted.
Output config format
Category
Select a format for your configuration template:
•
CLI (Command-line interface)
•
XML (Extensible Markup Language)
•
Native—Default file format of the application that we use to create and save files. We use CLI plug-in
and it is used for cms_plug-in.
Specify the category for the configuration template. Categories allow you to group your templates and
filter and search them easily.
•
VNF—Select this option when you create a configuration template for the virtualized network function.
•
Device Template—Select this option when you create a device template for a network device, such
as a customer premises equipment (CPE) device..
•
Other—Select this option when you create a configuration template for a network function other
than VNF or device template.
Vendor
Specify the vendor that you want the configuration template to support.
Example: Juniper Networks
Device family
Specify the device family that you want the configuration template to support.
Example: juniper-srx
Related
Documentation
•
Configuration Designer Overview on page 425
•
Designing Templates with a YANG Configuration on page 431
•
Designing Templates with a Configuration on page 434
Designing Templates with a YANG Configuration
You can design a configuration template either by using your own YANG model or by
using the YANG model generated by the Configuration Designer. The Configuration
Designer provides a wizard that takes you through a step-by-step procedure to create a
configuration template. You can design multiple templates by creating requests and
launching respective wizards from them.
Copyright © 2018, Juniper Networks, Inc.
431
Contrail Service Orchestration User Guide
To design a template using your own data model, make sure to have your data model
schema and Jinja (a template engine for Python) template content ready.
Before you begin, create a configuration template request. See “Creating Requests for
Configuration Templates” on page 430.
To design a configuration template with your own YANG model:
1.
From the Configuration Template Request drop-down list, select Begin with YANG.
The Enter YANG Schema page appears.
2. Enter or copy and paste your YANG schema in the space provided for it. Click Next.
The Enter Jinja Template page is displayed.
3. Enter or copy and paste your Jinja template content in the space provided for it. Click
Next.
NOTE: You can also download a sample template from this page.
NOTE: When you paste the Jinja template, the Configuration Designer
detects the keywords post_config, pre_config, and diff_config automatically.
If the configuration template contains any one of these three keywords,
the template will enable the Diff Config feature.
4. Click Next.
The Generate UI page appears and generates a UI page based on your YANG schema
and displays a read-only view. The fields on this page map to the parameters in the
configuration template. You can drag and drop the field labels to reorder the UI.
NOTE: If you edit an existing template and change its data model, then
you can generate a new UI for it by clicking Re-generate ui. If you do not
want a new UI, skip to the next step.
5. Click Next.
The Validate Template page appears.
6. Enter values that you want to validate. See Table 238 on page 433 for sample fields
and their descriptions. Click Validate.
A configuration template is generated using the values that you entered.
432
Copyright © 2018, Juniper Networks, Inc.
Chapter 45: Configuration Designer
7. In the Validate Template page, make sure your data in the template is complete and
correct.
8. Click Yes, it looks good to close the page. If any parameter value in the configuration
template needs to be changed, click No, it needs change to return to the previous page.
9. Click Next.
The Review Template page is displayed. It contains three tabs—Jinja Template, Data
Model, and View Def. You can click through the tabs to view and update your Jinja
template, data model, and view definition.
10. Click Done to save your configuration template.
The Designs page is updated with the new configuration template and its status shows
as Validated. You can monitor and manage the new configuration template from the
Configuration Design page.
NOTE: You need to publish the configuration template for it to be available
for the Resource Designer to create virtualized network function (VNF)
packages. See “Publishing Configuration Templates” on page 438.
Table 238: Sample Fields on the Validate Template Page
Field
Description
Name Servers
Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS name
servers.
Example: 10.0.2.15
NTP Servers
Specify the FQDNs or IP addresses of one or more NTP servers.
Example: ntp.example.net
Time Zone
Specify the time zone for your virtual machine.
Example: UTC
Enable Default Screens
For a centralized deployment, select True to enable the default screens security profile for the
destination zone or False to disable default screening.
Example: False
NOTE: You cannot configure this setting for a distributed deployment.
Enable Re-filter
Select True to enable a stateless firewall filter that protects the Routing Engine from
denial-of-service (DoS) attacks or False to allow DoS attacks.
Example: True
Copyright © 2018, Juniper Networks, Inc.
433
Contrail Service Orchestration User Guide
Table 238: Sample Fields on the Validate Template Page (continued)
Field
Description
Loopback Addr
Specify an IPv4 or IPv6 loopback address for the management interface of your virtual machine.
Example: 192.0.2.25
Hostname
For a centralized deployment, specify the hostname of your virtual machine that contains the
vSRX VNF. The hostname has no limit on the number of characters and accepts letters, numbers,
and symbols.
Example: vm-vsrx
NOTE: For a distributed deployment, the vSRX application resides on the NFX250 device, and
you cannot configure this setting.
Syslog Servers
Specify the FQDNs or IP addresses of one or more system log servers.
Example: 192.0.2.55
Right Interface
Specify the identifier of the interface receiving data transmitted by the host.
Example: GigabitEthernet3
Left Interface
Specify the identifier of the interface that transmits data to the host.
Example: GigabitEthernet2
Allowed Prefix List
Ping Prefix List
If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual
Appliance uses for ping operations when it discovers the vSRX VNF.
Example: 10.0.2.1/24
SNMP Prefix list
If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual
Appliance uses for SNMP operations when it discovers the vSRX VNF.
Example: 10.0.2.0/24
Space Servers
If you set the Enable Re-filter field to True, specify the IP addresses of the virtual machines that
contain the Junos Space Virtual Appliances.
Example: 10.0.2.50
Related
Documentation
•
Configuration Designer Overview on page 425
•
Designing Templates with a Configuration on page 434
Designing Templates with a Configuration
You can design a configuration template either by using your own data model or by using
the data model generated by the Configuration Designer. The Configuration Designer
provides a configuration template wizard that takes you through a step-by-step procedure
434
Copyright © 2018, Juniper Networks, Inc.
Chapter 45: Configuration Designer
to create your configuration template. You can design multiple templates by creating
requests and launching respective wizards from them.
To design a template using the data model generated by the Configuration Designer, you
provide your Jinja configuration and the wizard automatically parses its parameters and
generates the data model for your template. See
http://jinja.pocoo.org/docs/2.10/templates/ for documenting the configuration templates
of the jinja2 Python module.
Before you begin, create a configuration template request. See “Creating Requests for
Configuration Templates” on page 430.
To design a template with your configuration:
1.
From the Configuration Template Request drop-down list, select Begin with config.
The Templatize Config page appears.
2. Enter or copy and paste your Jinja configuration in the space provided for it.
The wizard parses the parameters in your configuration and generates a variables
tree in the Detected Variables panel.
NOTE: You can also download a sample template from this page.
NOTE: When you paste the Jinja template, the Configuration Designer
detects the keywords post_config, pre_config, and diff_config, automatically.
If the configuration template contains any one of these three keywords,
the template will enable the Diff Config feature.
3. Review your configuration and edit it as needed. The wizard accordingly updates the
variables in the Detected Variables panel. Click Next.
The Customize Variables page appears.
4. Select any variable to update. You can update different attributes of your template,
such as the Yang and data types. You can also add default values and descriptions.
See Table 239 on page 437 for sample fields and their descriptions.
5. After completing your configuration, click Next.
The Generate UI page appears and generates the data model according to your values
and displays as read-only. You can drag and drop the field labels to reorder theUI.
Copyright © 2018, Juniper Networks, Inc.
435
Contrail Service Orchestration User Guide
NOTE: If you edit an existing template and change its data model, then
you can generate a new UI for it by clicking Re-generate ui. If you do not
want a new UI, skip to the next step.
6. Click Next.
The Validate Template page appears.
7. Enter values that you want to validate, and ensure that the configuration template is
displayed with the correct values.
8. Click Validate.
The Rendered Config page appears and the configuration template is generated using
the values that you entered.
9. Make sure your data in the configuration template is complete and correct.
10. Click Yes, it looks good to close the page. If any parameter value in the configuration
template needs to be changed, click No, it needs change to return to the previous page.
11. Click Next.
The Review Template page is displayed. It contains three tabs—Jinja Template, Data
Model, and View Def. You can click through the tabs to view and update your Jinja
template, data model, and the view definition.
12. Click Done to save your configuration template.
The Designs page is updated with the new configuration template and its status shows
as Validated. You can monitor and manage the new configuration template from the
Configuration Design page.
NOTE: You must publish the configuration template for it to be available for
the Resource Designer to create virtualized network function (VNF) packages.
See “Publishing Configuration Templates” on page 438.
436
Copyright © 2018, Juniper Networks, Inc.
Chapter 45: Configuration Designer
Table 239: Sample Fields on the Customize Variables Page
Field
Description
Detected Variables
Edit the variable name. A configuration template contains variables that get
replaced with values when a template is rendered. The Configuration Designer
automatically generates these variables from your Jinja configuration.
You can edit the variable name.
Example: left_interface
Yang Type
Select an appropriate Yang type from the drop-down list. A Yang module defines
a data model through its data, and through the hierarchical organization and
constraints on that data. It uses a hierarchical, tree-based structure with the
following nodes:
•
leaf node—Contains a single value of a specific type
•
leaf-list node—Contains a sequence of leaf nodes
•
container node—Contains a grouping of related nodes containing only child nodes,
which can be any of the six node types
•
list node—Contains a sequence of list entries, each of which is uniquely identified
by one or more key leafs
•
choice node—Contains a set of alternatives, only one of which may exist at any
one time
•
Data Type
case node—Contains branches of the choice node
Select an appropriate data type based on your variable. In Yang, each leaf and
leaf-list node includes the type statement to identify the data type for valid data
for that node. Yang defines a set of built-in types and also provides the typedef
statement for defining a derived type from a base type, which can be either a built-in
type or another derived type.
•
String—Human-readable string
•
Boolean—True or false
•
Init8— 8-bit signed integer
•
Init16—16-bit signed integer
•
Init32—32-bit signed integer
•
Init64—64-bit signed integer
•
Uint8—8-bit unsigned integer
•
Uint16—16-bit unsigned integer
•
Uint32—32-bit unsigned integer
•
Uint64—64-bit unsigned integer
•
Enumeration—Enumerated strings with associated numeric values
•
Inet: ip-address—192.0.2.101
•
Inet: ip-prefix—192.0.2.0/24
•
Empty—A leaf that does not have any value
Display Name
Specify the name of the variable as you want it to display.
Key
Specify the key to be associated with the variable.
Keys are identifiers used in defining list entries in the Yang data hierarchy. They
help distinguish one list entry from another.
Copyright © 2018, Juniper Networks, Inc.
437
Contrail Service Orchestration User Guide
Table 239: Sample Fields on the Customize Variables Page (continued)
Field
Description
Required
Specify if the variable is mandatory.
Default Value
Specify the default value for the variable.
Pattern
Specify the regular expression (regex pattern) if the data type of the variable is
string.
Example: ^[a-z][A-Z]
Information
This field displays values only if the data type of the variable is enumeration. When
you select the data type as enumeration, you need to specify the values for the
enumeration list and these values are displayed in the Information column. You
can also edit the enumeration list.
Example: [“abc”,”def”]
Description
Enter a meaningful description for the variable.
Example: Firewall policy information
To create an actual configuration for a device, you must log in to Administration Portal
or Customer Portal. You must enter the actual values for the configuration in the
configuration template. The configuration template then renders the actual values. You
can click on stage2 configuration to view the actual configuration.
To delete an actual configuration for a device, you must login to Administration Portal
or Customer Portal and execute the delete command, remove command or an alternate
command for the configuration. The command to delete a configuration depends on the
existing configuration on the device.
Related
Documentation
•
Configuration Designer Overview on page 425
•
Designing Templates with a YANG Configuration on page 431
Publishing Configuration Templates
After you have designed a configuration template, you need to publish it. Only published
configuration templates are available to the Resource Designer for creating virtualized
network function (VNF) packages.
Use one of the following methods to design a configuration template:
•
438
Using a data model. Choose this method when you already have a data model for your
configuration template. See “Designing Templates with a YANG Configuration” on
page 431.
Copyright © 2018, Juniper Networks, Inc.
Chapter 45: Configuration Designer
•
Using your working configuration. Choose this method when you have a Jinja template
but want the Configuration Designer to generate a data model for your configuration
template. See “Designing Templates with a Configuration” on page 434.
To publish a configuration template:
1.
Select Home> Designs.
The Configuration Template Designs page appears. All the configuration templates
are displayed in a table.
2. Select the configuration template, with the status Validated, that you want to publish
to the Resource Designer.
3. Select Publish from the Edit drop-down list.
Your configuration template is published and available to be used by the Resource
Designer. Its status changes from Validated to Published.
Related
Documentation
•
Configuration Designer Overview on page 425
About the Designs Page for the Configuration Designer
To access this page, click Home> Designs.
Use the Designs page to manage configuration template designs that you have saved
or published.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View the configuration template designs. Table 240 on page 440 describes the fields
on the Configuration Template Designs page.
•
Modify a configuration template design that you published or saved using the
configuration. Click Edit from the drop-down list at the end of the appropriate row and
make your updates. See “Designing Templates with a Configuration” on page 434.
•
Modify a configuration template design that you published or saved using the YANG
model. Click Edit from the drop-down list at the end of the appropriate row and make
your updates. See “Designing Templates with a YANG Configuration” on page 431.
•
Publish a configuration template. See “Publishing Configuration Templates” on page 438.
•
Clone a configuration template. See “Cloning Configuration Templates” on page 441.
•
Delete a configuration template. See “Deleting Configuration Template Designs” on
page 441.
Copyright © 2018, Juniper Networks, Inc.
439
Contrail Service Orchestration User Guide
Field Descriptions
Table 240 on page 440 provides guidelines on using the fields on the Designs page for the
Configuration Designer.
Table 240: Fields on the Configuration Template Designs Page
Field
Description
Template
View the configuration template name. The name can be a string of alphanumeric
characters, dashes, and spaces.
Example: srx-lan-to-wan-config
Family
View the device family supported by the configuration template.
Example: juniper-srx
Vendor
View the vendor that the configuration template supports.
Example: Juniper Networks
Output Format
Category
View the format used by the configuration template. It can be one of the following:
•
CLI (Command-line interface)
•
XML (Extensible Markup Language)
•
Native - Default file format of the application that we use to create and save files. We
use CLI plug-in and it is used for cms_plug-in.
View the category for the configuration template.
•
VNF—A configuration template for the virtualized network function.
•
Device Template—A device template for the network function and this cannot be
published to the Resource Designer.
•
Other—A configuration template for the network function other than VNF or device
template.
Diff-Config
Status
Use to compare configuration difference between the two configuration files.
•
Yes—Diff.Config feature is enabled for the template.
•
No—Diff.Config feature is disabled for the template.
View the configuration template status:
•
In-Progress—Configuration template request was created but the template hasn’t
been validated.
•
Validated—Configuration Designer validated the configuration template and it is ready
to be published.
•
Published—Configuration Designer published the configuration template and it is
available to the Resource Designer for use.
Description
View the configuration template description.
Example: NFX Stage-1 configuration
440
Copyright © 2018, Juniper Networks, Inc.
Chapter 45: Configuration Designer
Related
Documentation
•
Configuration Designer Overview on page 425
•
About the Requests Page for the Configuration Designer on page 429
Cloning Configuration Templates
Cloning a template is useful when you want to create a configuration template that is
similar to an existing one but with small differences. You can easily clone an existing
template from the Designs page and customize it as needed.
To clone a configuration template design:
1.
Select Home>Designs.
The Designs page appears.
2. Select the configuration template design that you want to clone, and click the clone
icon at the top of the Designs page.
The Clone Template page appears.
3. Specify an appropriate name for your new configuration template. For example,
uCPE-SRX NAT config.
4. Click Save.
A message is displayed indicating that the template was cloned successfully. The
cloned configuration template appears on the Designs page.
If you want to edit the cloned configuration template, select the template and click Edit
from the drop-down list at the end of the row.
Related
Documentation
•
About the Designs Page for the Configuration Designer on page 439
•
Designing Templates with a Configuration on page 434
•
Designing Templates with a YANG Configuration on page 431
Deleting Configuration Template Designs
You can easily delete a configuration template design from the Designs page.
To delete a configuration template design:
1.
Select Home>Designs.
The Designs page appears.
2. Select the configuration template design that you want to delete.
Copyright © 2018, Juniper Networks, Inc.
441
Contrail Service Orchestration User Guide
3. Click Delete from the drop-down list at the end of the row.
A page requesting confirmation for the deletion appears.
4. Click Yes to confirm that you want to delete the design.
The configuration template design is deleted.
Related
Documentation
442
•
About the Designs Page for the Configuration Designer on page 439
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 46
Resource Designer
•
Resource Designer Overview on page 443
•
Using the Resource Designer on page 445
•
Accessing the Resource Designer on page 446
•
About the Requests Page for the Resource Designer on page 446
•
VNF Overview on page 447
•
Creating Requests for VNF Packages on page 448
•
Designing VNF Packages on page 449
•
Adding VNF Managers on page 456
•
Publishing VNF Packages on page 457
•
About the Designs Page for the Resource Designer on page 458
•
Cloning VNF Packages on page 459
•
Importing VNF Packages on page 460
•
Exporting VNF Packages on page 460
•
Deleting VNF Packages on page 461
Resource Designer Overview
Configuration Designer, Resource Designer, and Network Service Designer are visual
designer tools used by the Juniper Networks Cloud CPE solution for smooth onboarding.
The designer tools offer network designers a convenient way of bringing virtualized
network functions (VNFs) from Juniper Networks and third-party companies into the
network services catalog using a graphical user interface (GUI).
Resource Designer provides an intuitive GUI-based workflow that guides administrators
as they provide the required information to create a VNF package. Resource Designer
also validates the created VNF package before it is published to Network Service Designer.
Network Service Designer uses VNF packages to design customized network services
that are published to the network services catalog, which contains a list of usable network
services.
Service provider administrators access the network services catalog to assign a set of
network services to their customers using the Administration Portal. Finally, customer
administrators access the network services assigned to them using a Customer Portal
Copyright © 2018, Juniper Networks, Inc.
443
Contrail Service Orchestration User Guide
to manage their sites and services. Figure 2 on page 444 shows a Resource Designer
workflow.
Figure 2: Resource Designer Workflow
Service provider
administrator
Configuration
templates
Administration
Portal
Resource
Designer
Customer
administrator
VNF packages
Network
Service
Designer
Customized
network services
Customer
Portal
g043752
Functions, resources,
protocols, metadata….
required for
VNF management
Network services catalog
As a system integrator or a service provider, you can use Resource Designer to create and
onboard a VNF package that can be used for defining network services. A VNF package
is a set of metadata or templates designed for a specific vendor’s VNF. Each VNF has its
own combination of resources and performance characteristics. Having access to different
levels of VNF packages can help you to design specific service-level agreements (SLAs)
for your services. You can assign resources to VNFs using your vendor’s data sheets as
a basis.
A typical VNF package might include:
•
VNF base configuration template—A configuration template can be created in
Configuration Designer:
•
•
To ensure correct startup and ongoing manageability of the VNF
•
For management IP, SNMP, and system log configuration of the VNF
VNF descriptor (VNFD)—A deployment template that describes a VNF in terms of its
deployment and operational behavior requirements. VNFD is mainly used during the
instantiation of a VNF and for lifecycle management of a VNF instance. It includes the
following properties:
444
•
Connection points—Represents the management interface, left interface, and right
interface. Connections points are used to connect the virtual links.
•
Virtual links—Represents the management network link, left network link, and right
network. Virtual links provide connectivity between VDUs.
•
Virtual deployment units (VDUs) and a topology showing how the VDUs are
connected—VDUs are basic part of VNFs. VDUs are used to host the network function.
•
Allocated CPU and memory
•
Required storage
•
Names and types of VNF images
Copyright © 2018, Juniper Networks, Inc.
Chapter 46: Resource Designer
•
•
Deployment flavors—A differentiated option such as Gold, Silver, or Bronze with an
appropriate SLA metric.
•
VNF auto-scale policies
VNF Manager plug-in—A plug-in type and name. For example, a VNF Manager for VNF
lifecycle management.
•
Supported function chains—Sequences of network functions, such as firewall, NAT, or
WAN optimization, that the VNF packages offers.
Some VNFs, like vSRX, support multiple functions and service chains. For example, vSRX
can be deployed in the context of multiple functions such as firewalls, carrier-grade NAT,
IDP, UTM, malware, and others.
Related
Documentation
•
Accessing the Resource Designer on page 446
•
Changing Your Password on page 428
•
Using the Resource Designer on page 445
Using the Resource Designer
Use the Resource Designer to create a VNF package or modify an existing one. Follow
these steps to get started with the Resource Designer:
•
Learn about the Resource Designer. See “Resource Designer Overview” on page 443.
•
Log into the Resource Designer. See “Accessing the Resource Designer” on page 446.
To create a VNF package:
1.
Create a request for a VNF package. See “Creating Requests for VNF Packages” on
page 448.
2. Design a VNF package. See “Designing VNF Packages” on page 449.
3. Publish the VNF package to the Network Service Designer. See “Publishing VNF
Packages” on page 457.
You can also perform the following tasks using the Resource Designer:
Related
Documentation
•
Clone a VNF package. See “Cloning VNF Packages” on page 459.
•
Import a VNF package. See “Importing VNF Packages” on page 460.
•
Export a VNF package. See “Exporting VNF Packages” on page 460.
•
Resource Designer Overview on page 443
•
Accessing the Resource Designer on page 446
Copyright © 2018, Juniper Networks, Inc.
445
Contrail Service Orchestration User Guide
Accessing the Resource Designer
To access the Resource Designer:
1.
Review the keystone username and password that you defined for Contrail OpenStack.
•
For a centralized deployment, you can view these settings on the Contrail configure
and control node in the files /etc/contrail/keystonerc and /etc/contrail/openstackrc.
•
For a distributed deployment, you can view these settings on the central
infrastructure node in the file /etc/keystone/keystonerc.
•
The default username is cspadmin and the default password is passw0rd.
2. Using a Web browser, access the URL for the Resource Designer.
For example, if the IP address of the host on which Resource Designer resides is
192.0.2.1, the URL would be https://192.0.2.1:83/rd-ui/index.html.
3. Log in with the OpenStack Keystone username and password.
Related
Documentation
•
Resource Designer Overview on page 443
•
Using the Resource Designer on page 445
About the Requests Page for the Resource Designer
To access this page, click Home > Requests.
Use the Requests page to request a new VNF package. A VNF package is a package of
device metadata or templates for a specific vendor VNF. You can also view the open
VNF package requests with the request name, date, and time.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create a request to design a VNF package. See “Creating Requests for VNF Packages”
on page 448.
•
Design a new VNF package. See “Designing VNF Packages” on page 449.
Field Descriptions
Table 241 on page 446 provides guidelines on using the fields on the Requests page for
the Resource Designer.
Table 241: Fields on the Requests Page for the Resource Designer
Field
Description
Requests Page
446
Copyright © 2018, Juniper Networks, Inc.
Chapter 46: Resource Designer
Table 241: Fields on the Requests Page for the Resource Designer (continued)
Field
Description
New Request
Click to request a new VNF package.
The New Request page allows you to define the requirements for your VNF package.
VNF Package Request
Begin
Hover over the bottom right of the package and click to design a VNF package.
The Basic VNF Information page appears. You can specify the basic information for the VNF
package, supported VNF, and function chains.
Delete
Hover over the bottom right of the package and click to delete a VNF package request.
The VNF package request is deleted.
Related
Documentation
•
Resource Designer Overview on page 443
•
Using the Resource Designer on page 445
VNF Overview
A virtualized network function (VNF) is a software application used in a Network Functions
Virtualization (NFV) implementation that has well defined interfaces, and provides one
or more component networking functions in a defined way. For example, a security VNF
provides Network Address Translation (NAT) and firewall component functions.
For the Cloud CPE solution in a centralized deployment model, you design network
services for customers based on VNFs. Each VNF used in the network service is deployed
in its own virtual machine (VM). The connections between VNFs depend on how VIMs
define them over the NFV Infrastructure (NFVI).
For the Cloud CPE solution in distributed deployment model, the Open vSwitch (OVS)
bridges are used within the NFX hypervisor.
You can specify the following required resources for a VNF package when you create it
in Resource Designer.
•
Number of virtual CPUs
•
Virtual memory (MB)
•
Virtual disk capacity (MB)
•
License cost
The Cloud CPE solution supports a range of Juniper Networks and third-party VNFs.
Vendors can provide multiple versions of a VNF that offer differentiated performance.
You can see available VNFs and their specifications and resource requirements in the
VNF catalog of the Network Service Designer tool. Table 242 on page 448 lists the VNFs
that are currently supported by the Cloud CPE Solution.
Copyright © 2018, Juniper Networks, Inc.
447
Contrail Service Orchestration User Guide
Table 242: VNFs Supported by the Cloud CPE Solution
VNF Name
Network Functions
Supported
Deployment Model Support
Element Management
System Support
Juniper Networks vSRX
•
Network Address Translation
•
Centralized deployment
EMS microservice
•
Demonstration version of
Deep Packet Inspection
(DPI)
•
Distributed deployment
supports firewall and UTM
•
Firewall
•
Unified Threat Management
(UTM)
LxCIPtable (a free,
third-party VNF based on
Linux IP tables)
•
NAT
•
Firewall
Cisco Cloud Services Router
1000V Series (CSR-1000V)
Centralized deployment
EMS microservice
Firewall
Centralized deployment
Junos Space Network
Management Platform
Riverbed Steelhead
WAN optimization
Distributed deployment, NFX250
platform only
EMS microservice
Silver Peak VX
WAN optimization
Distributed deployment, NFX250
platform only
EMS microservice
Related
Documentation
•
Creating Requests for VNF Packages on page 448
Creating Requests for VNF Packages
You can create a configuration template by making a request. A request allows you to
define the basic requirements for the VNF package, including the vendor and the supported
device family.
1.
Click Home > Requests > New Requests.
2. Complete the configuration according to the guidelines provided in
Table 243 on page 449.
3. Click Create.
A new VNF package request is created. If you want to discard your changes, click
Cancel instead.
448
Copyright © 2018, Juniper Networks, Inc.
Chapter 46: Resource Designer
Table 243: Fields on the New Request Page
Field
Description
Name
Specify a unique name for your VNF package using a string of alphanumeric characters, dashes,
and spaces.
Example: vSRX
Description
Enter a description for your VNF package. Make this description as clear and useful as possible
for all administrators.
Vendor
Select the vendor for the VNF package.
Example: Juniper Networks
Target family
This field is auto-populated with the device family supported by the vendor.
Example: juniper-nfx
Vendor Logo
This field is auto-populated with the vendor logo for the selected vendor.
You can also click Select files to upload logos for any new vendor that you add to the vendor list
through an API.
Related
Documentation
•
Resource Designer Overview on page 443
•
About the Requests Page for the Resource Designer on page 446
•
Designing VNF Packages on page 449
Designing VNF Packages
You can design a VNF package using the Resource Designer. The Resource Designer
provides a VNF package wizard that takes you through a step-by-step procedure to
create your VNF package. You can design multiple VNF packages by creating requests
and launching respective wizards from them.
Before You Begin
Create a request to design a VNF package. See “Creating Requests for VNF Packages”
on page 448.
To design a VNF package, you need to perform the following:
•
Creating Basic VNF Information on page 450
•
Adding Flavor Parameters on page 451
•
Adding Standard and Custom Functions on page 453
•
Designing a Supported Function Chain on page 453
•
Viewing the Summary of VNF Packages on page 455
Copyright © 2018, Juniper Networks, Inc.
449
Contrail Service Orchestration User Guide
Creating Basic VNF Information
You can click through each tab on this page to specify basic VNF information, flavor
parameters, standard functions, custom functions, and supported function chains for
the VNF package.
To create basic VNF information:
1.
Click Home > Requests. You see the Requests page and can view the number of open
requests that you created to design a VNF package.
2. Select Begin from the appropriate open VNF request wizard.
You are directed to the Configure page. It contains three tabs—Enter Basic Information,
Select Functions, and Design Function Chains. You can click through the tabs to specify
basic VNF information, flavor parameters, standard functions, custom functions, and
supported function chains that are required for the VNF package.
3. Complete the configuration according to the guidelines provided in
Table 244 on page 450.
Table 244: Fields on the VNF Information Page
Field
Description
VNFD Name
Displays the VNF Package request name that you provided. A VNFD is a deployment template that
describes the deployment and operational behavior of the VNF. Some of the VNFs are listed below:
•
Juniper Networks vSRX—Supports both centralized and distributed deployments.
•
LxCIPtable—A free, third-party VNF based on Linux IP tables; supports only centralized deployments.
•
CSR-1000V—Cisco Cloud Services Router 1000V Series; supports only for centralized deployments.
•
Silver Peak VX—Supports only distributed deployments.
•
HAProxy—An open source, reliable solution that offers high availability and proxy service for TCP
applications.
VNF Manager
Deployment Type
450
Select the VNF configuration manager. A VNF manager represents plug-in information, which includes
plug-in type and name and is extracted from an existing VNF. The VNF manager manages the life cycle
management of VNFs including third-party VNFs. Some of the VNF managers are listed below:
•
Viptables
•
viptables_v2
•
Space_14_2
•
Space_DMS_CMS_2_0
•
Silverpeak_v2
Select the deployment type.
•
uCPE only—Select this option for a distributed deployment.
•
vCPE only—Select this option for a centralized deployment.
Copyright © 2018, Juniper Networks, Inc.
Chapter 46: Resource Designer
Table 244: Fields on the VNF Information Page (continued)
Field
Description
Basic Config
Select the basic configuration template. A basic configuration template ensures correct startup and
ongoing manageability, management IP address, SNMP, and system logs and is created by using the
Configuration Designer.
Example: vSRX Space firewall config
BootStrap Config
Select the bootstrap configuration as a reference to the configuration template for the bootstrap
configuration to be used when the VNF is spawned. Bootstrap configuration template is created using
the Configuration Designer.
Example: default-domain
Networking Config
Select the network configuration as a reference to the configuration template for the networking
configuration to be staged on the VNF. Network configuration template is created using the Configuration
Designer.
Example: default-domain
VNF Capability
Select one or more capabilities supported for the software release of the VNF.
•
SRIOV-DATA—Supports SRIOV and its data interfaces
•
SRIOV-MGMT—Supports SRIOV and its management interfaces
•
CDROM-Bootstrapping—Supports bootstrap configuration through CDROM ISO
•
UserData-Bootstrapping—Supports bootstrap configuration using CloudInit
•
MGMT-VLAN-Tagged-Traffic—Supports VLAN tagged traffic and its management interfaces
•
DATA-VLAN-Tagged-Traffic—Supports VLAN tagged traffic and its data interfaces
•
Transparent-mode—Supports insertion in transparent mode
•
L3-mode—Supports Layer 3 mode
•
Direct-OAM-Reachability—Enables service chaining of a third-party VNF
Adding Flavor Parameters
You can create a package flavor (for example, Gold, Silver, or Bronze) and assign the
flavor to the VNF. Flavor parameters are computational properties of virtual deployable
units (VDUs) and each package flavor supports only one virtual deployable unit (VDU).
You can specify different resources for each VDU such as number of CPUs, allocated
memory size, and allocated disk size. You can also specify a VNF image for VDU for vCPE
devices and specify the bootstrap script for uCPE devices.
To add flavor parameters:
1.
From the Package Flavors field on the Basic VNF Information page, click Add.
The New Flavor Parameters wizard appears.
2. Complete the configuration according to the guidelines provided in
Table 245 on page 452.
Copyright © 2018, Juniper Networks, Inc.
451
Contrail Service Orchestration User Guide
3. Click Save. If you want to discard your changes, click Cancel instead.
A graphical representation of the wizard is displayed and shows the VNF flavor name
and the required virtual resources.
4. Click the edit icon at the top of the wizard to modify the flavor parameters. If you want
to close the wizard, click the X icon.
5. Click Next.
The Select Functions page appears with the standard and custom functions.
Table 245: New Flavor Parameters
Field
Description
Flavor Name
Specify the name of the package flavor for the VNF.
Example: Gold, Silver, or Bronze
Image Name
Select the VNF image file.
Click Upload Image to upload VNF images for the centralized deployment through Administration
Portal. See “Uploading a Device Image” on page 131.
Example: csr1000v-img
CPU
Specify the number of virtual CPUs required for the VNF using a numeric value without a fractional
component.
Example: 4 CPU cores
Memory
Specify the virtual memory size required for the VNF in megabytes (MB) using a numeric value
without a fractional component.
Example: 4096 MB
Disk
Specify the virtual disk capacity required for the VNF in gigabytes (GB) using a numeric value
without a fractional component.
Example: 128 GB
Bootstrap Script
Bootstrap script is supported only for the uCPE deployment. You can add a bootstrap script to
support a third-party VNF for the uCPE devices.
Click Add.
The Edit Bootstrap Script wizard appears.
Edit Bootstrap Script
452
Edit and save the script. If you want to discard your changes, click Cancel instead.
Copyright © 2018, Juniper Networks, Inc.
Chapter 46: Resource Designer
Table 245: New Flavor Parameters (continued)
Field
Description
Script Type
Select the supported bootstrap script for the third-party VNF. Supported bootstrap script types
are:
•
bash
•
sh
•
python
•
perl
The default script type is bash.
Adding Standard and Custom Functions
To add standard and custom functions:
1.
On the Select Functions page, from the Standard Functions wizard, select the function
category from the Category drop-down list. To select all function categories, click All.
•
There are four function categories: Security, Switching, Networking, and Routing.
•
When you select a function category, a list of network functions that belong to the
function category is displayed in the wizard. For example, NAT, Firewall, Anitspam,
and Antivirus are displayed when you select Security.
2. Select the network function that you want to add to the VNF package individually. If
you want to select all network functions, click Select All.
3. Click Add Custom Function to add a custom function if the predefined category does
not have the network function the user wants to use.
The Edit Custom Function wizard appears.
a. Specify the name of the custom function.
b. Select the function category.
c. Click Save. If you want to discard your changes, click Cancel instead.
4. Click Next.
The Design Function Chains page appears.
Designing a Supported Function Chain
To design a supported function chain:
1.
On the Design Function Chains page, a list of standard and custom functions are
displayed in the Function Palette wizard at the bottom of the page.
2. Drag any standard or custom function from the Function Palette wizard at the bottom
of the page and drop it on the Supported Function Chains workspace at the top of
Copyright © 2018, Juniper Networks, Inc.
453
Contrail Service Orchestration User Guide
the page in the order that they should appear. If you drop two or more functions to
the workspace, the functions will automatically connect with a connection arrow to
form a service chain.
3. Click the edit icon on the network function to add a configuration template for the
network function.
The Config Template wizard appears.
4. From the Template Name drop-down list, select the network configuration template
to be staged on the VNF. Some configuration templates are listed as follows:
•
IPTable NAT config —Configuration template designed for NAT.
•
IPTable Firewall config —Configuration template designed for firewall.
•
FireFly UTM config—Configuration template designed for firefly UTM.
5. Click Save. If you want to discard your changes, click Cancel instead.
6. Using the guidelines in Table 246 on page 455, specify assurance parameters for the
VNF on the left panel of the page. Assurance parameters are used to provide SLA
performance and scale indicators from the data sheet for the VNF. Each VNF flavor
can achieve the SLA performance and scale indicators. When you design a network
service in Network Service Designer, these values are used to determine how well your
design meets your target performance for the network service.
7. Click Next.
The service chain is created and displayed in the same page. For example,
Antispam-UTM-NAT-Antivirus.
8. If you use more than one network function in the VNF package, click Service Chain to
create the next combination of services.
9. Repeat steps 4 through 6 to create the service chain.
10. Repeat steps 6 through 9 until you have covered all possible combinations of the
network functions including each function on its own..
11. Click Next.
The Review VNF Package page appears.
454
Copyright © 2018, Juniper Networks, Inc.
Chapter 46: Resource Designer
Table 246: Assurance Parameters of the Network Function
Field
Description
Service Mode
Select the mode of network service that can be configured for the VNF.
•
Transparent—Used for services that do not modify the packet. Also known as bump-in-the-wire or
Layer 2 mode.
Example: Firewall, IDP, and so on.
•
In-Network—Provides a gateway service where packets are routed between the service instance
interfaces.
Example: NAT, Layer 3 firewall, load balancer, HTTP proxy, and so on.
•
In-Network-NaT—Similar to in-network mode, but return traffic does not need to be routed to the
source network. In-network-nat mode is particularly useful for NAT service.
The default service mode is In-Network.
Bandwidth
Specify the data rate for the virtualized network function in megabytes per second (Mbps) or gigabytes
per second (Gbps).
Example: 185
Latency
Specify the time a packet takes to traverse the virtualized network function in milliseconds (ms).
Example: 5.8
Sessions
Specify the maximum number of sessions concurrently supported for the VNF.
Example: 25,000
License cost
Specify the license cost for the virtualized network function in USD.
Viewing the Summary of VNF Packages
To view the summary of a VNF package:
1.
On the Review VNF package page, you can view the VNF basic information, number
of standard and custom network functions available, number of standard and custom
network functions selected, and the number of service chains created for the VNF
package.
2. Click the edit icon on top corner of each wizard to edit the individual fields of VNF
basic information, functions, and service chains.
3. Click Done.
A success message is displayed.
The VNF package is added in the Designs page and the status of the package changes
to Validated.
Copyright © 2018, Juniper Networks, Inc.
455
Contrail Service Orchestration User Guide
Related
Documentation
•
Resource Designer Overview on page 443
•
Creating Requests for VNF Packages on page 448
•
Adding VNF Managers on page 456
•
Publishing VNF Packages on page 457
Adding VNF Managers
Resource Designer allows a service provider to add a new VNF manager, including
third-party VNF manager plug-in information, from the Designs page.
To clone a VNF package design:
1.
Click Home > Requests. You see the Requests page and can view the number of open
requests that you created to design a VNF package.
2. Select Begin from the appropriate open VNF request wizard.
The Basic VNF Information page appears.
3. Click Add VNF Manager.
The New VNF Manager wizard appears.
4. Complete the configuration according to the guidelines provided in
Table 247 on page 456.
5. Click Save. If you want to discard your changes, click Cancel instead.
Table 247: Add VNF Manager
Field
Description
VNF Manager
Name
Select the VNF configuration manager. A VNF manager represents plug-in information, which includes
plug-in type and name.
Example: JunosSpace
Username
Specify the username that you configured for the VNF manager.
Password
Specify the password that you configured for the VNF manager.
You can choose a password that is at least eight characters long and contains characters from at least
three of the following four character classes: uppercase letters, lowercase letters, numbers (0 through
9), and special characters.
Plug In
456
Select the plug-in type.
•
Built-In—Built-in plug-in name.
•
External Plugin—Python plug-in package name.
Copyright © 2018, Juniper Networks, Inc.
Chapter 46: Resource Designer
Table 247: Add VNF Manager (continued)
Field
Description
Built-In
PlugIn Name—Specify the built-in plug-in name.
Example: viptables
External Plugin
•
PlugIn Name—Specify the python VNF manager plug-in name, which is used to provide additional
features on top of the existing built-in VNF manager. The naming convention of the package name is
<Vendor><VNFM Name><Version>, and this can be installed through the PIP tool.
•
Display Name—Specify the display name for the VNF manager.
•
Description—Enter a description for your VNF manager. Make this description as clear and useful as
possible for all administrators.
•
Vendor—Specify the vendor name that you want the external plug-in to support.
•
EMS Name—Specify an EMS name for the EMS instance that manages the VNF instances instantiated
from the VNF package. Each POP is associated with an EMS instance to manage instances instantiated
in the POP. The same EMS instance is shared by multiple POPs or dedicated EMS instances for each
POP, and the EMS name is used to find the right EMS instance to manage the VNF instances in a
specific POP.
Example: Junos Space 15.1 and Versa Director 1.1.
Related
Documentation
•
About the Designs Page for the Resource Designer on page 458
•
Designing VNF Packages on page 449
Publishing VNF Packages
After you have designed a VNF package, you need to publish the designed VNF package
to the Network Service Designer. Only published VNF packages are available from the
Network Service Designer.
To publish a VNF package to the Network Service Designer:
1.
Select Home > Designs.
The VNF Package Designs page appears. All of the VNF packages are displayed in a
table.
2. Select the VNF package, with the status Validated, that you want to publish to the
Network Service Designer.
3. Select Publish to NSD from the drop-down list at the end of the row.
Your VNF package is published and available to be used by the Network Service
Designer. The status of the package changes from Validated to Published.
Related
Documentation
•
Resource Designer Overview on page 443
•
Creating Requests for VNF Packages on page 448
Copyright © 2018, Juniper Networks, Inc.
457
Contrail Service Orchestration User Guide
•
About the Designs Page for the Resource Designer on page 458
About the Designs Page for the Resource Designer
To access this page, click Home > Designs.
Use the Designs page to manage VNF packages that you have saved or published. You
can also view the information about each VNF package.
Tasks You Can Perform
You can perform the following tasks from this page:
•
View the VNF package information. See Table 248 on page 458 for field descriptions of
the Designs page.
•
Export a VNF package from the Resource Designer. See “Exporting VNF Packages” on
page 460.
•
Import a VNF package to the Resource Designer. See “Importing VNF Packages” on
page 460.
•
Clone a VNF Package. See “Cloning VNF Packages” on page 459.
•
Modify the VNF package that you saved or published using the Edit option from the
drop-down list. See “Designing VNF Packages” on page 449.
•
Publish a VNF package. See “Publishing VNF Packages” on page 457.
•
Delete a VNF package. See “Deleting VNF Packages” on page 461.
Field Descriptions
Table 248 on page 458 provides guidelines on using the fields on the Designs page for the
Resource Designer.
Table 248: Fields on the Designs Page for the Resource Designer
Field
Description
VNF Name
View the VNF package name. The name can be a string of alphanumeric characters, dashes,
and spaces.
Example: ucpe-vSRX
Vendor
View the vendor that the VNF package supports.
Example: Juniper Networks
Family
View the device family supported by the VNF package.
Example: juniper-srx
458
Copyright © 2018, Juniper Networks, Inc.
Chapter 46: Resource Designer
Table 248: Fields on the Designs Page for the Resource Designer (continued)
Field
Description
Date
View the data and time when the VNF design package was created.
Example: 01/24/2017 12:01
Status
View the VNF package status.
•
Started —An empty VNF package was created and the components need to be added.
•
In-Progress — A VNF package was created but the package is not validated.
•
Validated— Resource Designer validated the VNF package and it is ready to be published.
•
Published—Resource Designer published the VNF package and it is available from the
Network Service Designer.
Related
Documentation
•
Resource Designer Overview on page 443
•
About the Requests Page for the Resource Designer on page 446
Cloning VNF Packages
You can clone a VNF package from the Designs page when you want to quickly create a
copy of an existing VNF package and modify its parameters including the name of the
VNF.
To clone a VNF package design:
1.
Select Home > Designs.
The Designs page appears.
2. Select the VNF package design that you want to clone, and click the clone icon at the
top of the Designs page.
The Clone VNF Package wizard appears.
3. Specify an appropriate name for your new VNF package.
4. Click Save.
A success message is displayed. The cloned VNF package appears on the Designs
page.
If you want to edit the cloned VNF package, select the VNF package and click Edit from
the drop-down list at the end of the row.
Related
Documentation
•
About the Designs Page for the Resource Designer on page 458
•
Designing VNF Packages on page 449
Copyright © 2018, Juniper Networks, Inc.
459
Contrail Service Orchestration User Guide
Importing VNF Packages
You can import a VNF package design to the Designs page from third-party applications
and VNF packages from another Resource Designer. A VNF package design retains its
state when it is imported.
To import a VNF package design:
1.
Select Home > Designs.
The Designs page appears.
2. Click the Import VNF package icon at the top of the Designs page.
The Import VNF wizard appears.
3. Click Select files to select the VNF JSON data file.
NOTE: You need to retain the file format as .json to successfully import
the VNF package design to the Resource Designer.
4. Click Import. If you want to discard the import process, click Cancel instead.
A success message is displayed indicating that the VNF is imported. The imported
VNF package appears on the Designs page.
Related
Documentation
•
About the Designs Page for the Resource Designer on page 458
•
Designing VNF Packages on page 449
Exporting VNF Packages
You can export a VNF package design from the Designs page when you want to use this
VNF package in another Resource Designer that is running in another customer’s server.
A VNF package design retains its state when it is exported.
To export a VNF package design:
1.
Select Home > Designs.
The Designs page appears with a list of VNF packages.
2. Select the VNF package design that you want to export.
3. Select Export from the drop-down list at the end of the row.
460
Copyright © 2018, Juniper Networks, Inc.
Chapter 46: Resource Designer
The VNF package JSON file opens at the bottom of the page.
4. Save the file to your computer.
You can modify the parameters and rename the JSON filename if required.
Related
Documentation
•
About the Designs Page for the Resource Designer on page 458
•
Designing VNF Packages on page 449
•
Importing VNF Packages on page 460
Deleting VNF Packages
To delete a VNF package design:
1.
Select Home > Designs.
The Designs page appears with a list of VNF packages.
2. Select the VNF package design that you want to delete.
3. Select Delete from the drop-down list at the end of the row.
A page requesting confirmation for the deletion appears.
4. Click Yes to confirm.
The VNF package design is deleted.
Related
Documentation
•
Resource Designer Overview on page 443
•
About the Designs Page for the Resource Designer on page 458
Copyright © 2018, Juniper Networks, Inc.
461
Contrail Service Orchestration User Guide
462
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 47
Network Service Designer introduction
•
Network Service Designer Overview on page 463
•
Accessing Network Service Designer on page 464
Network Service Designer Overview
Network Service Designer is a visual design tool to create and manage network services
for the Juniper Networks Cloud CPE solution.
The Network Service Designer receives input from the Configuration Designer and
Resource Designer. Configuration Designer is used to create and manage configuration
templates. The templates are based on a simple concept of configuration
parameterization. Parameterization facilitates the creation of versatile configuration
templates that can be easily used for different configurations. The different types of
configuration templates are device-level base configurations, service configurations, and
monitoring configurations. Resource Designer uses these configuration templates to
create VNF packages that are published to Network Service Designer. You combine
various VNFs from multiple vendors to create a service chain and publish it to the network
service catalog. The network service orchestrator instantiates the service chain to the
Cloud CPE solution.
With Network Service Designer you can:
Related
Documentation
•
Create requests for new network services.
•
Design customized network services for your customers.
•
Design new standard network services that you can offer to all your customers.
•
Update existing network services.
•
Publish services to the network service catalog.
•
Manage network services that you are designing or have published to the network
catalog.
•
Configure some basic parameters for the VNFs used in a network service and the virtual
containers in which the VNFs reside.
•
Network Services and Service Chains Overview on page 465
Copyright © 2018, Juniper Networks, Inc.
463
Contrail Service Orchestration User Guide
•
Accessing Network Service Designer on page 464
Accessing Network Service Designer
To access the Network Service Designer:
1.
Review the OpenStack Keystone username and password that you defined.
•
For a centralized deployment, you can view these settings on the Contrail configure
and control node in the files /etc/contrail/keystonerc and /etc/contrail/openstackrc.
•
For a distributed deployment, you can view these settings on the central
infrastructure node in the file /etc/keystone/keystonerc.
•
The default username is cspadmin and the default password is passw0rd.
2. Using a Web browser, access the URL for the Network Services Designer.
For example, if the IP address of the host on which the Network Service Designer
resides is 192.0.2.1, then the URL would be https://192.0.2.1:83/nsd-ui/index.html.
3. Log in with the OpenStack Keystone username and password.
Related
Documentation
464
•
Network Service Designer Overview on page 463
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 48
Creating Requests for Network Services
•
Network Services and Service Chains Overview on page 465
•
Performance Overview on page 466
•
About the Requests Page for the Network Service Designer on page 467
•
Creating Requests for Network Services on page 468
•
Creating a Functional Service Chain on page 470
•
Configuring Performance Goals on page 470
•
Viewing Requests for Network Services on page 472
Network Services and Service Chains Overview
The terms network service and service chain are sometimes used interchangeably, but
they are not the same; you need to understand the difference between them:
•
A network service is a final product offered to end users with a full description of its
functionality and specified performance.
Administrators deploy network services between two locations in a virtual network,
so that traffic traveling in a specific direction on that link is subject to action from that
service. This term is defined in the ETSI Network Functions Virtualization (NFV)
standard.
•
A service chain refers to the structure of a network service, and consists of a set of
linked network functions, which are provided by specific virtualized network functions
(VNFs), with a defined direction for traffic flow and defined ingress and egress points.
Although not defined in the ETSI NFV standard, this term is regularly used in NFV and
software-defined networking (SDN).
You can create a service chain in the Network Service Designer by using:
•
One VNF instance that provides one or more functions. See Figure 3 on page 466.
Using one VNF instance instead of multiple instances increases performance.
•
Multiple instances of the same VNF, each providing certain functions. See
Figure 4 on page 466.
Using multiple instances of the same VNF lowers performance, such as when you want
to create differentiated services.
Copyright © 2018, Juniper Networks, Inc.
465
Contrail Service Orchestration User Guide
•
Instances of different VNFs, each providing certain functions. See Figure 4 on page 466.
You might need to use different VNFs if one VNF cannot fulfill all network functions or
if a particular VNF offers an advantage for a network function.
Figure 3: Service Chain with One VNF Instance That Provides All Functions
VNF
Instance
NAT
Ingress point
Egress point
g043470
Firewall
Figure 4: Service Chain with Either Multiple Instances of the Same VNF
or Multiple VNFs
VNF A
Instance 1
VNF A Instance 2
or
VNF B Instance 1
NAT
Egress point
Firewall
Related
Documentation
•
Performance Overview on page 466
•
Designing Network Services on page 475
•
Defining Ingress and Egress Points for a Service Chain on page 479
g043471
Ingress point
Performance Overview
The following parameters define the performance of a network service, a virtualized
network function (VNF), and the component functions of a VNF:
•
Sessions—Maximum number of sessions allowed for one instance of the service.
•
Bandwidth (Mbps or Gbps)—Data rate for the function or service.
•
Latency (ms or ns)—Time taken by a packet to traverse the function or service.
•
Licence cost (USD)—Cost of the function or service.
Vendors provide specified values for these parameters for a VNF and for each allowed
combination of components in the VNF (internal service chain). You can view the specified
values in the Vendor catalog.
Network Service Designer evaluates the aggregate performance of the design against
the goals in the request and displays the information in the Goals pane.
466
Copyright © 2018, Juniper Networks, Inc.
Chapter 48: Creating Requests for Network Services
Related
Documentation
•
Configuring Performance Goals on page 470
•
Monitoring Performance Goals on page 480
•
VNF Overview on page 447
•
Viewing Information About VNFs on page 475
•
Designing Network Services on page 475
About the Requests Page for the Network Service Designer
To access this page, click Home> Requests.
Use the Requests page to create and manage requests for new network services. You
must create a request before you can design a network service.
A request contains information about the required service, such as:
•
The customer’s name.
•
The requested functions in the network service. For example, NAT, UTM, and firewall.
•
The performance goals for the service.
As soon as you start to design the network service, the request becomes a design, which
you track on the Designs page. See “About the Designs Page for the Network Service
Designer” on page 495.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Create requests for new network services. See “Creating Requests for Network Services”
on page 468.
•
Specify a sequence of network functions that you want in the network service. See
“Creating a Functional Service Chain” on page 470.
•
View open requests for network services. See “Viewing Requests for Network Services”
on page 472.
Field Descriptions
Table 249 on page 467 provides guidelines on using the fields on the Requests page for
the Network Service Designer.
Table 249: Fields on the Requests Page for the Network Service Designer
Field
Description
New Request
Click to request a new network service design. The New Request page allows you to
define the requirements for your network service design.
Copyright © 2018, Juniper Networks, Inc.
467
Contrail Service Orchestration User Guide
Table 249: Fields on the Requests Page for the Network Service Designer (continued)
Field
Description
Begin
Hover over a saved request and click Begin to design a network service. The Build page
appears. You can specify the virtual network function, update the function configuration,
and specify the performance goals.
Edit
Click to edit the network service design request details.
Delete
Click to delete a network service design request.
Related
Documentation
•
Network Service Designer Overview on page 463
•
About the Designs Page for the Network Service Designer on page 495
Creating Requests for Network Services
You must create a request before you can design a network service. When you create a
request for a network service, you define the requirements for the service, including the
required network functions and the performance goals.
To create a request for a network service:
1.
Click Home in the toolbar and Requests in the left navigation bar.
2. Click New Request.
The Request Information page in which you specify information about the request
appears.
3. Configure the request information according to the guidelines provided in
Table 250 on page 469.
4. Click Next.
The Service Chain and Design Goals page appears, displaying the Goals pane, the
Functional Service Design area, and the Function Palette.
5. Configure the goals and service chain according to the guidelines provided in
Table 250 on page 469.
6. Click Next.
The Summary page appears that displays the details you entered for the request.
468
Copyright © 2018, Juniper Networks, Inc.
Chapter 48: Creating Requests for Network Services
7. Review the details and make corrections if necessary, using the Previous and Next
options to navigate through the pages.
8. After updating the information, click Create.
The request for the network service design appears on the Requests page.
Table 250: Fields on the New Request Page
Field
Description
Request Information
Name
Specify the name for the request.
The Name field accepts up to 60 characters, including letters, numbers, and symbols.
Priority Request
(Optional) If the request is urgent, select the Priority Request check box.
Customer Name
(Optional) Specify a customer name.
The Customer Name field accepts up to 60 characters, including letters, numbers, and symbols.
Description
(Optional) Specify a description for the service.
The Description field accepts up to 500 characters, including letters, numbers, and symbols.
Requirements
(Optional) Specify the requirements for the request.
The Requirements field accepts up to 1000 characters, including letters, numbers, and symbols.
Deployment Type
(Optional) Select a Deployment Type from the drop-down list. The available options are:
•
vCPE-Only
•
uCPE-Only
The default option is vCPE-Only.
Attachments
(Optional) Click Select Files, navigate to the file you want to attach, and click Open.
The file is uploaded to the Attachments (Optional) field.
Service Chain and Design Goals
Function Palette
View the list of supported network functions in the Function Palette. You can drag the network
function from the Function Palette and drop it to the Functional Service Design area.
Functional Service Design
Create a functional service chain by placing the required network functions in the required
order. See “Creating a Functional Service Chain” on page 470.
Goals
Configure the performance goals for a network service. You can define goals for the number
of sessions, bandwidth, latency, and license cost. See “Configuring Performance Goals” on
page 470.
Copyright © 2018, Juniper Networks, Inc.
469
Contrail Service Orchestration User Guide
Table 250: Fields on the New Request Page (continued)
Field
Description
Summary
Review the details and make corrections if necessary, using the Previous and Next options to
navigate through the pages.
Related
Documentation
•
Network Services and Service Chains Overview on page 465
•
Performance Overview on page 466
•
Designing Network Services on page 475
•
Configuring Performance Goals on page 470
•
Creating a Functional Service Chain on page 470
Creating a Functional Service Chain
Network Service Designer automatically connects the network functions in the order that
you place them in the design area. You can insert a function between two functions
already on the design pane. If you make an error, you can use the delete icon or you can
right-click a component in the design area and delete the component.
NOTE: The WAN links that are supported are WAN0, WAN1, and WAN2.
To create a functional service chain:
Related
Documentation
•
For a centralized deployment model, drag and drop the network functions in the required
order from the Function Palette to the Functional Service Design area.
•
For a distributed deployment model, drag the network function from the Function
Palette and drop it to the Functional Service Design area in the following order:
•
•
Between the ingress point and AppRouting function
•
Between the AppRouting function and WAN links
•
Between WAN Links and the egress point
Creating Requests for Network Services on page 468
Configuring Performance Goals
To configure the performance goals of a network service:
1.
Click Home> Requests > New Request .
2. Enter the request information and click Next.
470
Copyright © 2018, Juniper Networks, Inc.
Chapter 48: Creating Requests for Network Services
3. In the Goals pane, click Add Goal.
The New Goal window is displayed.
4. Configure the goals according to the guidelines provided in Table 251 on page 471.
BEST PRACTICE: Adding one or more goals to the request enables you to
track performance of those parameters when you design a network service
for the request. Although adding goals is not mandatory, we recommend
that you do so.
5. Click Save.
Table 251: Fields on the Performance Goal Page
Field
Description
Session
Goal Value
Acceptable Value
Specify the target value for the goal. When you design a network service, the goal value is used by the
Network Service Designer to evaluate how your design meets the goal. There is no upper limit. As a
guideline, typical achievable values for a firewall are as follows:
•
Session: 25,000–60,000 Min. of path
•
Bandwidth: 185–240 Mbps
•
Latency: 2–6 ms
•
License Cost: 100 USD
Specify a value that is lower than the target and acceptable for the network service. When you design a
network service, the acceptable value is used by the Network Service Designer to evaluate how your
design meets the goal.
Example:
Must Value
•
Session: 20,000 Min. of path
•
Bandwidth: 150 Mbps
•
Latency: 5 ms
•
License Cost: 99 USD
Specify the minimum value for the goal. The minimum value should be lower than the acceptable value.
When you design a network service, the must value is used by the Network Service Designer to evaluate
how your design meets the goal.
Example:
•
Session: 15,000 Min. of path
•
Bandwidth: 100 Mbps
•
Latency: 4 ms
•
License Cost: 95 USD
Copyright © 2018, Juniper Networks, Inc.
471
Contrail Service Orchestration User Guide
Table 251: Fields on the Performance Goal Page (continued)
Field
Description
Based on
View the method that is used by the Network Service Designer to evaluate how your design meets the
goal. You cannot edit this field.
Example:
•
Session: Min. of path
If there are multiple VNFs in the service chain, then the VNF with the smallest bandwidth is chosen.
Unit
•
Bandwidth: Min. of path
•
Latency: Cumulative
•
License Cost: Cumulative
Specify the measurement unit of the goal.
Example:
•
Bandwidth: Mbps, Gbps
•
Latency: ns, ms
•
License Cost: USD
Related
Documentation
•
Performance Overview on page 466
•
Monitoring Performance Goals on page 480
Viewing Requests for Network Services
You can view the requests for a network service in a hierarchical grid view and tree view.
The grid view is the default option.
To view the requests for a network service in the tree view:
1.
Select Home> Requests.
The Request page appears. All requests for a network service are displayed in the grid
view.
2. Click Show Details (hierarchy icon at the top left of the page).
The requests for the network service are listed in the Home page.
3. Select a request to view the detailed information about the customer, supported
function requirements, and design goals.
Related
Documentation
472
•
About the Requests Page for the Network Service Designer on page 467
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 49
Creating Network Services
•
About the Build Page for the Network Service Designer on page 473
•
Viewing Information About VNFs on page 475
•
Designing Network Services on page 475
•
Connecting VNFs in a Service Chain on page 478
•
Defining Ingress and Egress Points for a Service Chain on page 479
•
Monitoring Performance Goals on page 480
•
Configuring Network Services on page 481
•
vSRX Configuration Settings on page 482
•
LxCIPtable VNF Configuration Settings on page 489
•
Cisco CSR-1000v VNF Configuration Settings on page 491
•
Silver Peak VX VNF Configuration Settings on page 493
•
Riverbed Steelhead VNF Configuration Settings on page 493
About the Build Page for the Network Service Designer
To access this page click Home > Designs > Design Name > Edit.
You can also view the Build page by following these steps:
1.
Click Home in the toolbar and Requests in the left navigation bar.
2. Hover over an existing request.
A menu appears at the bottom right of the request that you are hovering over.
3. Click Begin.
The Build page appears.
Use the Build page to design, configure, save, and publish a network service. You can
also view VNFs to use in your design and monitor how the design performs against your
target goals.
Copyright © 2018, Juniper Networks, Inc.
473
Contrail Service Orchestration User Guide
Tasks You Can Perform
You can perform the following tasks from this page:
•
View performance specifications, required resources, and component network functions
for each VNF. See “Viewing Information About VNFs” on page 475.
•
Design a service chain for both distributed and centralized deployment models. See
“Designing Network Services” on page 475.
•
Define the ingress and egress point for a service chain. See “Defining Ingress and Egress
Points for a Service Chain” on page 479.
•
Connect VNFs in a service chain. See “Connecting VNFs in a Service Chain” on page 478
•
Configure the performance goals of a network service. See “Configuring Performance
Goals” on page 470.
•
Monitor the performance of a service. See “Monitoring Performance Goals” on page 480.
Field Descriptions
Table 252 on page 474 provides guidelines on using the fields on the Build page for the
Network Service Designer.
Table 252: Fields on the Network Service Build Page
Field
Description
Functional Service Design
View the functions in the network service.
Network Service Design
Drag and drop the VNFs from the VNF category, add ingress and egress points, and
connect the VNFs.
Goals
Click to monitor the performance goals for the network service.
Info
Click to add the information about the Network Service Design that you want to track.
Docs
Click to upload documents about the Network Service Design, such as specifications, or
requirement documents.
VNF Category
Choose the VNFs from the VNF category.
Functional Configuration
Click to configure the VNF settings.
Save NSD
Click to save the network service design template.
Publish NSD
Click to publish the network service design template to the network service catalog.
Delete NSD
Click to delete multiple NSD templates together.
474
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
Related
Documentation
•
About the Designs Page for the Network Service Designer on page 495
Viewing Information About VNFs
You can view performance specifications, required resources, and component network
functions for each VNF, which you created in the Resource Designer, in the VNF catalog.
Reviewing this information can help you to determine which VNF to use when you are
designing a network service.
To view information about a specific VNF:
1.
Click the network function in the Vendor catalog.
The information window for the network function appears, displaying the following
information in the Details tab:
•
A graphical representation of the complete network function with ingress and egress
points.
•
A list of resources required for the network function.
2. Click Functions.
You see the category of the network function, such as security, and the component
functions, such as NAT and firewall.
3. Click Service Chains to display:
•
A list of the potential internal service chains (allowed combinations of component
functions) for this network function.
Lines without arrows connecting component functions in an internal service chain
indicate that the order of the functions does not matter.
•
The performance specification for each internal service chain.
4. Click anywhere outside the window to close the VNF information window.
Related
Documentation
•
VNF Overview on page 447
•
Performance Overview on page 466
Designing Network Services
When you save a request it appears on the Requests page. You can then design a service
chain to fulfill the request, using VNFs in the Vendor catalog to provide the requested
network functions.
You can design the service chains for the following deployment models:
•
Designing a Network Service for a Centralized Deployment on page 476
•
Designing a Network Service for a Distributed Deployment on page 477
Copyright © 2018, Juniper Networks, Inc.
475
Contrail Service Orchestration User Guide
Designing a Network Service for a Centralized Deployment
To design a service chain for a centralized deployment model:
1.
Click Home in the toolbar and Requests in the left navigation bar.
The Requests page appears, displaying the open requests.
2. Click Begin.
The Build page displays the requested network functions and the goals.
3. Click the first function in the chain.
The VNF catalog at the bottom right of the page is refreshed to show the VNFs that
provide this function.
4. Drag and drop a VNF from the catalog to the Network Service Design workspace.
The function appears inside the VNF image.
5. Add an ingress point to the first VNF in the chain.
The Performance Goals pane is refreshed to indicate how the network service design
meets the defined goals.
6. Click the next function in the chain.
The VNF catalog is refreshed to show only the VNFs that provide this function, and,
If a VNF in the Network Service Design workspace supports this function, a faded
image of the function appears inside the VNF image.
7. Choose a VNF for this function:
•
To implement this function with the same VNF, click the faded image in the VNF
image.
•
To implement this function with a different VNF, drag the VNF from the Vendor
catalog to the Network Service Design workspace.
8. Repeat Step 6 and Step 7 until you have assigned a VNF to each required network
function. If you make an error in the design area, you can right-click and delete the
component.
9. If you have used multiple VNFs in your design, connect them by packet flow.
10. Add an egress point to the last VNF in the chain.
The Performance Goals pane is refreshed again to indicate how the network service
design meets the customer goals.
476
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
11. Click Save NSD to save the design.
12. (Optional) Configure the Network Service.
13. Click Publish NSD to add the service to the catalog.
The Publish NSD page appears.
a. Specify a name (that customers see) for this network service.
The field accepts up to 60 characters, including letters, numbers, and symbols.
b. Specify a description of the service.
The field accepts up to 500 characters, including letters, numbers, and symbols.
c. Select the type of service from the menu.
d. Click Publish.
Designing a Network Service for a Distributed Deployment
To design a service chain for a distributed deployment model:
1.
Click Home in the toolbar and Requests in the left navigation bar.
The Requests page appears, displaying the open requests.
2. Click Begin.
The Build page displays the requested network functions and the goals.
3. Click the first function in the chain.
The Vendor catalog is refreshed to show only the VNFs that provide this function.
4. Drag the VNF from the Vendor catalog and drop the network functions at the
appropriate points in the network chain to meet the requirements of your network.
The Performance Goals pane is refreshed to indicate how the network service design
meets the customer goals.
NOTE: The ingress point, egress points, and gateway router are
automatically updated for the distributed deployment model.
5. Click the next function in the chain.
The Vendor catalog updates to show only the VNFs that provide this function, and, If
a VNF in the Network Service Design workspace supports this function, a faded image
of the function appears inside the VNF image.
Copyright © 2018, Juniper Networks, Inc.
477
Contrail Service Orchestration User Guide
6. If you have used multiple VNFs in your design, then drag and drop the network functions
at the appropriate points in the network chain.
The Performance Goals pane again updates to indicate how the network service
design meets the customer goals.
7. Repeat Step 4 and Step 5 until you have assigned a VNF to the required network
function. If you make an error, you can right-click a component in the network service
design area and delete the component.
8. (Optional) Click Function Configuration and configure the network service.
9. Click Save NSD to save the design.
10. Click Publish NSD to add the service to the catalog.
The Publish NSD page appears.
a. Specify an official name (that customers see) for this network service.
The field accepts up to 60 characters, including letters, numbers, and symbols.
b. Specify a description of the service for customers to read.
The field accepts up to 500 characters, including letters, numbers, and symbols.
c. Select the type of service from the menu.
d. Click Publish.
Related
Documentation
•
Network Services and Service Chains Overview on page 465
•
Performance Overview on page 466
•
Defining Ingress and Egress Points for a Service Chain on page 479
•
Connecting VNFs in a Service Chain on page 478
•
Configuring Network Services on page 481
Connecting VNFs in a Service Chain
To connect VNFs in a service chain:
1.
Click Connect, then click ELAN.
The dots that represent potential ingress and egress points on the VNFs enlarge.
2. Hover over the egress point of the first VNF until a green circle appears.
3. Click and hold the green circle, then drag the cursor to the green circle that appears
around the ingress point for the next VNF, and release the mouse button.
478
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
A one-way arrow indicating the flow of traffic in the service chain appears.
4. Repeat Step 1 through Step 3 until you have connected all VNFs in the service chain.
Related
Documentation
•
Network Services and Service Chains Overview on page 465
•
Designing Network Services on page 475
Defining Ingress and Egress Points for a Service Chain
To define the ingress point and the egress point for a service chain that you are designing:
1.
Click Ingress.
The dots that represent potential ingress and egress points on VNFs enlarge.
2. Click the dot that represents the ingress point for the service chain.
An arrow indicating the direction of traffic flow with the label I appears.
3. Click Egress.
4. Click the dot that represents the egress point for the service chain.
An arrow indicating the direction of traffic flow with the label E appears.
5. Click the egress point of the last VNF to define the egress point.
Related
Documentation
•
Network Services and Service Chains Overview on page 465
•
Designing Network Services on page 475
•
Monitoring Performance Goals on page 480
Copyright © 2018, Juniper Networks, Inc.
479
Contrail Service Orchestration User Guide
Monitoring Performance Goals
Network Service Designer provides comprehensive information about the performance
of VNFs and their component network functions in the VNF catalog. Network Service
Designer also tracks the aggregate performance of a network service that you are
designing and saves the information to the network service catalog.
Minimizing the number of VNFs and VNF instances in a service chain optimizes the
performance of a network service. For example, using one VNF instance for both NAT
and firewall functions provides higher performance than using either separate instances
of the same VNF or different VNFs to provide the functions.
You specify performance goals for the service when you create a request for a network
service. When you are designing a service chain, you evaluate the performance of your
design against the requested goals.
To monitor the performance of a service that you are designing:
1.
Click the right arrow in the Goals pane to view the performance goals.
2. Add an ingress point to the first VNF in the service chain immediately after you assign
that VNF to the first network function.
3. Monitor the values in the Goals pane as you design your service chain.
Related
Documentation
480
•
Network Services and Service Chains Overview on page 465
•
Performance Overview on page 466
•
Designing Network Services on page 475
•
Defining Ingress and Egress Points for a Service Chain on page 479
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
Configuring Network Services
When you are designing a service chain or after you have designed a service chain, you
can configure settings for the VNFs in the chain. The configuration settings you can
configure are specified in Configuration Designer and the values for the settings are
specified in Resource Designer. The settings that you configure are:
•
The virtual container in which the VNF resides.
•
The network functions, such as NAT or firewall.
The settings that you can configure depend on the actual VNF. Manual configurations
are optional and override automatic configurations specified by the Cloud CPE solution
deployment script, other Contrail Service Orchestration components, or default settings
that you configured with Resource Designer.
To configure the network service:
1.
View the service chain design on the Build page.
If the design is not currently visible on the Build page:
a. Click Home in the toolbar and Designs in the left navigation bar.
The list of saved and published designs appears.
b. Click Edit for the network service you want to configure.
The Build page appears, displaying the service chain design.
2. Click Function Configuration.
The Service page appears, displaying the VNFs in the service chain and the Base
Configure tab for the first VNF in the Functional Service Design workspace.
3. Specify the settings on the Base Configure tab.
This action configures the virtual machine in which the VNF resides.
BEST PRACTICE:
• Complete all the settings in the Base Configure tab to optimize your
deployment. End users can see these settings in Customer Portal or
custom access software and should not override them.
•
Configure few example settings for the service. These example settings
must be generic and not network-specific. End users can configure
service settings specific to their networks in Customer Portal.
4. (Optional) Specify settings on the other tabs for this VNF to customize a particular
function such as NAT.
Copyright © 2018, Juniper Networks, Inc.
481
Contrail Service Orchestration User Guide
End users can customize their own services with these settings in Customer Portal.
Settings that end users specify in Customer Portal override conflicting settings that
you specify in Network Service Designer.
5. Click the next VNF icon in the Configuration page.
6. Repeat Step 3 and Step 4.
7. Repeat Steps 5 through 7 for each VNF in the chain.
8. Click OK.
The Service page closes.
Related
Documentation
•
vSRX Configuration Settings on page 482
•
LxCIPtable VNF Configuration Settings on page 489
•
Cisco CSR-1000v VNF Configuration Settings on page 491
•
Silver Peak VX VNF Configuration Settings on page 493
•
Riverbed Steelhead VNF Configuration Settings on page 493
vSRX Configuration Settings
BEST PRACTICE: Service providers configure base settings for a VNF.
Customers should not change these values unless directed to do so by their
service provider. Service providers may provide some generic examples of
service configurations for their customers. Customers can configure
services—for example, by creating policies—appropriate to their networks in
Customer Portal.
Use the information in the following tables to provide values for the available settings:
•
Table 253 on page 483 shows the settings you can configure for the virtual machine
(VM) that contains the VNF.
•
Table 254 on page 484 shows the firewall settings you can configure.
NOTE: Firewall is supported on both centralized deployment model and
distributed deployment model.
•
482
Table 255 on page 486 shows the Network Address Translation (NAT) settings you can
configure.
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
NOTE: NAT is supported in distributed deployment model only.
•
Table 256 on page 487 shows the unified threat management (UTM) settings you can
configure.
NOTE: UTM is supported on both centralized deployment model and
distributed deployment model.
Table 253: Fields for the vSRX Base Settings
Field
Description
Host Name
For a cloud site, specify the hostname of the VM that contains the vSRX VNF. The field has no
limit on the number of characters and accepts letters, numbers, and symbols.
Example: vm-vsrx
For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure
this setting.
Loopback Address
Specify an IPv4 loopback address for the management interface of the VM.
Example: 192.0.2.25
DNS Servers
Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS name
servers.
Example: 192.0.2.35
NTP Servers
Specify the FQDNs or IP addresses of one or more NTP servers.
Example: 192.0.2.45
Syslog Servers
Specify the FQDNs or IP addresses of one or more system log servers.
Example: 192.0.2.55
Enable Re-filter
Select True to enable a stateless firewall filter that protects the Routing Engine from
denial-of-service (DoS) attacks or False to allow DoS attacks.
Example: True
Enable Default Screens
For a cloudsite, select True to enable the default screens security profile for the destination zone
or False to disable default screening.
Example: False
You cannot configure this setting for an on-premise site.
Time Zone
Specify the time zone for the VM.
Example: UTC
Copyright © 2018, Juniper Networks, Inc.
483
Contrail Service Orchestration User Guide
Table 253: Fields for the vSRX Base Settings (continued)
Field
Description
Right Interface
Specify the identifier of the VM interface that transmits data.
Example: ge-0/0/1
For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure
this setting.
Left Interface
Specify the identifier of the VM interface that receives data.
Example: ge-0/0/0
For an on-premise site, the vSRX application resides on the CPE device, and you cannot configure
this setting.
SNMP Prefix List
If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual
Appliance uses for SNMP operations when it discovers the vSRX VNF.
Example: 10.0.2.0/24
Ping Prefix List
If you set the Enable Re-filter field to True, specify the routes that the Junos Space Virtual
Appliance uses for ping operations when it discovers the vSRX VNF.
Example: 10.0.2.1/24
Space Servers
If you set the Enable Re-filter field to True, specify the IP addresses of the VMs that contain the
Junos Space Virtual Appliances.
Example: 10.0.2.50
Table 254: Fields for the vSRX Firewall Settings
Field
Description
Policy Name
Specify the name of the rule. The field has no limit on the number of characters and accepts letters,
numbers, and symbols.
Example: policy-1
Source Zone
Select the security zone from which packets originate.
•
left—Interface that transmits data to the host
•
right— Interface that receives data transmitted from the host
Zone policies are applied to traffic traveling from one security zone (source zone) to another security
zone (destination zone). This combination of a source zone and a destination zone is called a context.
Example: left
484
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
Table 254: Fields for the vSRX Firewall Settings (continued)
Field
Description
Destination Zone
Select the security zone to which packets are delivered.
•
left—Interface that transmits data to the host
•
right—Interface that receives data transmitted from the host
Zone policies are applied to traffic traveling from one security zone (source zone) to another security
zone (destination zone). This combination of a source zone and a destination zone is called a context.
Example: right
Source Address
Specify the source IP address prefixes that the network service uses as match criteria for incoming traffic.
To add source addresses:
1.
Click the Source Address column.
The source-address page appears.
2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source
IP address for which the application enforces the policy.
3. If you select ipp, specify a prefix.
4. Click OK.
Example: 10.0.2.30
Destination
Address
Specify the destination IP address prefixes that the network service uses as match criteria for outgoing
traffic.
To add a destination address:
1.
Click the Destination Address column.
The destination-address page appears.
2. Select any to match any source IP address of packets or ipp to match a specific prefix in the source
IP address for which the application enforces the policy.
3. If you select ipp, specify a prefix.
4. Click OK.
Example: 192.0.2.0/24
Action
Select permit to transmit packets that match the rule or deny to drop packets that match the rule.
Example: permit
Copyright © 2018, Juniper Networks, Inc.
485
Contrail Service Orchestration User Guide
Table 254: Fields for the vSRX Firewall Settings (continued)
Field
Description
Application
Specify the applications to which the policy applies. The applications are based on protocols and ports.
To specify applications:
1.
Click the Application column.
The application page appears.
2. In the allowed_apps field, select any to match any application or app to choose specific applications.
If you select app, press and hold the Ctrl key and click the required applications from the drop-down
list.
•
junos-tcp-any
•
junos-udp-any
•
junos-ftp
•
junos-http
•
junos-https
•
junos-icmp-all
•
junos-icmp-ping
•
junos-telnet
•
junos-tftp
3. Click OK.
Example:
•
junos-tcp-any
•
junos-udp-any
Table 255: Fields for the vSRX NAT Settings
Field
Guidelines
NAT Source Name
Specify the source IP address of packets that the policy rules match.
Example: 10.0.2.2/24
NAT Destination Name
Specify the destination IP address of packets that the policy rules match.
Example: 10.0.2.3/24
NAT policy settings—For information about the following policy settings, see the firewall policy settings in Table 2.
•
Policy Name
•
Source Zone
•
Destination Zone
•
Source Address
•
Destination Address
•
Action
•
Application
486
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
Table 256: Fields for the vSRX UTM Settings
Field
Description
Antivirus
Select True to check for viruses in application layer traffic against a virus signature database.
Select False to disable checking for viruses.
Example: True
Antispam
Select True to block spam e-mails or False to allow spam e-mails.
Example: True
Antispam Black List
Specify an address blacklist for local spam filtering.
Blacklists contain e-mail addresses from which you do not want to receive messages.
NOTE: When both the whitelist and blacklist are in use, the whitelist is checked first. If there
is no match, then the blacklist is checked.
Example: john@example.net
Antispam White List
Specify an address whitelist for local spam filtering.
Whitelists contain e-mail addresses from which you want to receive messages.
NOTE: When both the whitelist and blacklist are in use, the whitelist is checked first. If there
is no match, then the blacklist is checked.
Example: user@example.net
Antispam Action
Select the antispam action that you want the device to take when it detects spam:
•
block—Blocks the message
•
tag-subject—Tags the subject field with a preprogrammed string
•
tag-header—Tags the message header with a preprogrammed string
Example: block
Content Filter
Select True to block different types of traffic based on the MIME type, file extension, protocol
command, and embedded object type or False to permit these types of traffic.
Example: True
Content Filter Extensions
Specify one or more file extensions to block over HTTP, FTP, SMTP, IMAP, and POP3
connections.
Example: exe, pdf, js
Content Filter Mime
Specify the MIME types to be blocked or permitted over HTTP, FTP, SMTP, IMAP, and POP3
connections.
Example: application, exe
Content Filter Protocol
Commands
Specify commands for HTTP, FTP, SMTP, IMAP, and POP3 protocols to block traffic based
on these commands.
Example: put, mput
Copyright © 2018, Juniper Networks, Inc.
487
Contrail Service Orchestration User Guide
Table 256: Fields for the vSRX UTM Settings (continued)
Field
Description
Content Filter Content Type
Press and hold the Ctrl key and click one or more of the following types of content to specify
filtering of traffic that is supported only for HTTP and is not covered by file extensions or MIME
types:
•
Active X
•
Windows executable files (.exe)
•
HTTP cookie
•
Java applet
•
Zip files
Example: activex, exe
Content Filter Apply To
Press and hold the Ctrl key and click one or more of the following protocols in the drop-down
list to specify filtering of traffic associated with these protocols:
•
HTTP
•
FTP
•
POP3
•
IMAP
•
SMTP
Example: http, ftp
Webfilter
Select True to prevent access to specific websites and embedded object types or False to
permit access to all websites.
Example: True
Web Filter Black List
Specify URLs to create a blacklist of websites to block.
NOTE: A Web filtering profile can contain one whitelist or one blacklist with multiple
user-defined categories, each with a permit or block action.
Example:
Web Filter White List
•
www.example1.com
•
www.example2.com
Specify URLs to create a whitelist of websites that users can always access.
With local Web filtering, the firewall intercepts every HTTP request in a TCP connection and
extracts the URL. The network service then looks up the URL to determine whether it is in the
whitelist or blacklist based on its user-defined category.
NOTE: A Web filtering profile can contain one whitelist or one blacklist with multiple
user-defined categories, each with a permit or block action.
Example: www.example3.net
488
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
Table 256: Fields for the vSRX UTM Settings (continued)
Field
Description
Policy settings—For information about the following policy settings, see the firewall policy settings in Table 2.
•
Source Zone
•
Destination Zone
•
Source Address
•
Destination Address
•
Action
•
Application
Related
Documentation
•
Configuring Network Services on page 481
LxCIPtable VNF Configuration Settings
BEST PRACTICE: Service providers configure base settings for a VNF.
Customers should not change these values unless directed to do so by their
service provider. Service providers may provide some generic examples of
service configurations for their customers. Customers can configure
services—for example, by creating policies—appropriate to their networks in
Customer Portal.
Use the information in the following tables to provide values for the available settings:
NOTE: The tables are applicable for centralized deployment model only.
•
Table 257 on page 489 shows the base settings you can configure for the Linux container.
•
Table 258 on page 490 shows the firewall settings you can configure.
•
Table 259 on page 491 shows the Network Address Translation (NAT) settings you can
configure.
Table 257: Fields for the LxCIP Base Settings
Field
Description
Loopback Address
Specify a loopback IP address.
Example: 192.0.2.10
Operation
Select add to apply the policies to a specific route or del to prevent use of the policies on
specific routes.
Example: add
Copyright © 2018, Juniper Networks, Inc.
489
Contrail Service Orchestration User Guide
Table 257: Fields for the LxCIP Base Settings (continued)
Field
Description
Route
Specify the IP prefix of the route to which the policies should apply.
Example: 192.0.2.20/24
NextHop
Specify the IP address of a Contrail gateway network to which the VM connects.
Example: 192.0.2.20
Table 258: Fields for the LxCIP Firewall Policy Settings
Field
Description
Firewall Policies
Prevent SSH Brute
Select True to prevent SSH brute attacks or False to allow SSH brute attacks.
Example: False
Prevent Ping Flood
Select True to prevent ping flood attacks or False to allow ping flood attacks.
Example: False
Forwarding Rule Settings
Destination Address
Specify the destination IP address prefix that the network service uses as a match criterion for
outgoing traffic.
Example: 192.0.2.25/24
Operation
Select the operation, which applies to a chain of rules of the same type, from the drop-down list.
The following options are available:
•
append—Append the rule to a rule chain.
•
insert-before—Insert the rule before a rule with the same name.
•
delete—Replace an existing rule with this name.
Example: append
Source Address
Specify the source IP address prefix that the network service uses as a match criterion for outgoing
traffic.
Example: 192.0.2.20/24
Name
Specify the name for the rule. The field has no limit on the number of characters and accepts
letters, numbers, and symbols.
Example: vsrx-fw-policy
490
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
Table 258: Fields for the LxCIP Firewall Policy Settings (continued)
Field
Description
Action
Select the action for the rule, which applies to all traffic that matches the specified criteria.
•
accept—Transmit packets that match the policy parameters.
•
drop—Drop packets that match the policy parameters.
•
reject—Reject packets that match the policy parameters.
Example: accept
Service
Specify the service that you want the rule to match.
Example:
Type
•
http
•
smtp
Select the type of packet that the rule matches.
•
input—Packets that the network service receives that are addressed to this VM
•
forward—Packets that the network service receives that are addressed to other VMs
•
output—Packets that the network service transmits
The application creates a chain of all rules with a particular type.
Example: input
Table 259: Fields for the LxCIP NAT Policy Settings
Field
Description
Left Interface
Specify the name of the interface on which the network service enforces NAT for incoming
traffic.
Example: Eth1
Right Interface
Specify the name of the interface on which the network service enforces NAT for outgoing
traffic.
Example: Eth2
Related
Documentation
•
Configuring Network Services on page 481
Cisco CSR-1000v VNF Configuration Settings
BEST PRACTICE: Service providers configure base settings for a VNF.
Customers should not change these values unless directed to do so by their
service provider. Service providers may provide some generic examples of
service configurations for their customers. Customers can configure
Copyright © 2018, Juniper Networks, Inc.
491
Contrail Service Orchestration User Guide
services—for example, by creating policies—appropriate to their networks in
Customer Portal.
Use the information in the following tables to provide values for the available settings:
NOTE: The tables are applicable for centralized deployment model only.
•
Table 260 on page 492 shows the base settings you can configure for the virtual machine
(VM) that contains the VNF.
•
Table 261 on page 492 shows the firewall settings you can configure.
Table 260: Fields for the CSR-1000v Base Settings
Field
Description
Host Name
Specify the hostname of the VM.
Example: host1
Loopback Address
Specify the IPv4 loopback IP address.
Example: 10.0.2.50
Name Servers
Specify the fully qualified domain names (FQDNs) or IP addresses of one or more DNS
name servers.
Example: 10.0.2.15
NTP Servers
Specify the FQDNs or IP addresses of one or more NTP servers.
Example: ntp.example.net
Table 261: Fields for the CSR-1000v Firewall Settings
Field
Description
Left Interface
Specify the identifier of the interface that transmits data to the host.
Example: GigabitEthernet2
Right Interface
Specify the identifier of the interface receiving data transmitted by the host.
Example: GigabitEthernet3
492
Copyright © 2018, Juniper Networks, Inc.
Chapter 49: Creating Network Services
Table 261: Fields for the CSR-1000v Firewall Settings (continued)
Field
Description
Left to Right Allowed Apps
Select the applications from the drop-down list for which the policy is enforced in outgoing
packets. The following applications are available:
•
http
•
https
•
telnet
•
ftp
•
tcp
•
udp
•
icmp
Example: http, https
Right to Left Allowed Apps
Select the application from the drop-down list for which the policy is enforced for incoming
packets. The following applications are available:
•
http
•
https
•
telnet
•
ftp
•
tcp
•
udp
•
icmp
Example: ftp, udp
Related
Documentation
•
Configuring Network Services on page 481
Silver Peak VX VNF Configuration Settings
You configure the Silver Peak VX VNF through its own software. Refer to the Silver Peak
VX documentation for information on how to configure the application. You can view
the following setting:
Management IP—IP address of the sxe0 interface on JDM for the NFX250. For example:
192.0.2.25
Related
Documentation
•
Configuring Network Services on page 481
Riverbed Steelhead VNF Configuration Settings
You configure the Riverbed Steelhead VNF through its own software. See the Riverbed
Steelhead documentation for information about how to configure the application. You
can view the following setting:
Copyright © 2018, Juniper Networks, Inc.
493
Contrail Service Orchestration User Guide
Management IP—IP address of the sxe0 interface on JDM for the NFX250. For example:
192.0.2.25.
Related
Documentation
494
•
Configuring Network Services on page 481
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 50
Managing Network Services
•
About the Designs Page for the Network Service Designer on page 495
•
Publishing Network Service Designs on page 496
•
Copying Network Service Designs on page 497
•
Editing Network Service Designs on page 497
•
Deleting Network Service Designs on page 498
•
Viewing Network Service Designs on page 499
About the Designs Page for the Network Service Designer
To access this page, click Home> Designs.
Use the Designs page to view and manage the network service design templates that
you have saved or published.
Tasks You Can Perform
You can perform the following tasks from this page:
•
Publish a network service design template to the network service catalog. See
“Publishing Network Service Designs” on page 496
•
Editing a network service design template. See “Editing Network Service Designs” on
page 497
•
Delete one or more network service designs. See “Deleting Network Service Designs”
on page 498
•
Copy one or more network service designs. See “Copying Network Service Designs” on
page 497
•
View complete details of a network service design. See “Viewing Network Service
Designs” on page 499
Field Descriptions
Table 262 on page 496 provides guidelines on using the fields on the Designs page for the
Network Service Designer.
Copyright © 2018, Juniper Networks, Inc.
495
Contrail Service Orchestration User Guide
Table 262: Fields on the Designs Page for the Network Service Designer
Field
Description
Priority
View the priority of the network service design.
Customer Name
View the customer name. The name can be a string of alphanumeric characters, dashes,
and spaces.
Example: Juniper Networks
Network Design
View the network service design name. The name can be a string of alphanumeric
characters, dashes, and spaces.
Example: nsd-firewall-nat-test
Functional Design
View the name of the functional design, which is obtained from the tenant requirement.
The name can be a string of alphanumeric characters, dashes, and spaces.
Example: nsd-fd-test
Date
View the date and time when the network service design template was created.
Example: 02/06/2017 11:01
Status
View the network service design status:
•
Started—Network Service Design template is created and the components need to
be added.
•
In-Progress—Network Service Design template is created but the template has not
been validated.
•
Validated—Network Service Design template is validated and it is ready to be published.
•
Published—Network Service Designer published the network service design template
and it is available to the Customer Portal for use.
Related
Documentation
•
Network Service Designer Overview on page 463
•
About the Requests Page for the Network Service Designer on page 467
Publishing Network Service Designs
After you have designed a network service design template, you need to publish the
design to the network service catalog. Only published designs are available from the
network service Catalog.
To publish a completed design to the network service catalog:
1.
Select Home> Designs.
The Network Service Designs page appears. All the network service designs are
displayed in a table.
2. Select the network service design that you want to publish.
496
Copyright © 2018, Juniper Networks, Inc.
Chapter 50: Managing Network Services
The status of the template is Validated. For published designs, the status is Published.
3. Select Publish from the Edit drop-down list.
Your network service design is published and available to be used by the network
service catalog. Its status changes from Validated to Published.
Related
Documentation
•
About the Designs Page for the Network Service Designer on page 495
Copying Network Service Designs
You can create a new network service design template by copying an existing design
template and editing it.
To copy one or more designs that you have saved or published:
1.
Select Home> Designs.
The Network Service Designs page appears. All the network service designs are
displayed in a table.
2. Select the network service design that you want to copy and click Copy NSD.
A page requesting confirmation for the copying appears.
3. Click Yes to confirm that you want to copy the designs.
The additional services appear in the table with the status as Validated.
Related
Documentation
•
About the Designs Page for the Network Service Designer on page 495
Editing Network Service Designs
To edit a network service design that you have saved or published:
1.
View the network service design on the Build page.
If the design is not currently visible on the Build page:
a. Click Home in the toolbar and Designs in the left navigation bar.
The list of saved and published designs appears.
b. Click Edit for the network service you want to configure.
The Build page appears, displaying the network service design.
2. Click Function Configuration at the right of the Build page.
Copyright © 2018, Juniper Networks, Inc.
497
Contrail Service Orchestration User Guide
The Service page appears, displaying the VNFs in the service chain and the Base
Configure tab for the first VNF in the Functional Service Design workspace.
3. Specify the settings on the Base Configure tab.
This action configures the VM in which the VNF resides.
BEST PRACTICE: Complete all the settings on the Base Configure tab to
optimize the Cloud CPE solution. End users can see these settings in
Customer Portal and should not override them.
4. (Optional) Specify settings on the other tabs for this VNF to customize a particular
function such as Network Address Translation (NAT).
End users can customize their own services with these settings in Customer Portal.
Settings that end users specify in Customer Portal override conflicting settings that
you specify in Network Service Designer.
5. Click the next VNF icon in the Configuration page.
6. Repeat Step 3 and Step 4.
7. Repeat Steps 5 through 7 for each VNF in the chain.
8. Click OK.
The Service page closes.
Related
Documentation
•
About the Designs Page for the Network Service Designer on page 495
Deleting Network Service Designs
To delete a network service design:
1.
Select Home>Designs.
The Designs page appears.
2. Select the network service design that you want to delete.
3. Click Delete.
A page requesting confirmation for the deletion appears.
4. Click Yes to confirm that you want to delete the design.
498
Copyright © 2018, Juniper Networks, Inc.
Chapter 50: Managing Network Services
The network service design is deleted.
To delete multiple designs that you have saved or published:
1.
From the list of designs, select the designs that you want to delete.
2. Click Delete NSD.
A page requesting confirmation for the deletion appears.
3. Click Yes to confirm that you want to delete the designs.
The designs are deleted and are then displayed on the Requests Page.
Related
Documentation
•
About the Designs Page for the Network Service Designer on page 495
Viewing Network Service Designs
You can view the network service design in grid view and tree view. The default option is
grid view.
To view the network service designs that you have saved or published:
1.
Select Home> Designs.
The Network Service Designs page appears. All the network service designs are
displayed in a table.
2. Click Show Details.
The network service designs are categorized according to their status and listed in
the Home page.
3. Select a network service design template to view the detailed information about the
design template, such as customer information, resource requirements, network
design, and functional design.
You can edit, publish, or delete a network service design from this view.
Related
Documentation
•
About the Designs Page for the Network Service Designer on page 495
Copyright © 2018, Juniper Networks, Inc.
499
Contrail Service Orchestration User Guide
500
Copyright © 2018, Juniper Networks, Inc.
PART 4
Service and Infrastructure Monitor
•
Service and Infrastructure Monitor introduction on page 503
•
Monitoring Activities in the Deployment on page 505
Copyright © 2018, Juniper Networks, Inc.
501
Contrail Service Orchestration User Guide
502
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 51
Service and Infrastructure Monitor
introduction
•
Service and Infrastructure Monitor Overview on page 503
•
Accessing the Service and Infrastructure Monitor GUI on page 504
Service and Infrastructure Monitor Overview
Service and Infrastructure Monitor operates with the third-party monitoring software
Icinga to provide complete monitoring and troubleshooting of the Cloud CPE solution.
When you deploy the Cloud CPE solution, an Icinga agent is installed on servers and
virtual machines (VMs), which enables Icinga to monitor data on:
•
Physical servers
•
VMs that host virtualized network functions (VNFs)
•
VMs that host microservices
Service and Infrastructure Monitor collects events from microservices in the Cloud CPE
solution, and correlates the events to provide information about network service, their
component VNFs, and the VMs that host the VNFs.
All data is presented through the Icinga GUI. You use the GUI to obtain both a quick visual
display of the Cloud CPE solution status and more detailed lists of event messages.
Colored squares, which may contain numbers, in the GUI provide a visual status of the
Cloud CPE solution network.
•
A green square indicates the number of items that are working correctly.
•
A yellow square indicates the number of items with potential problems to investigate.
•
A red square indicates the number of items that are not working.
•
A purple square indicates the number of items with a failed connection.
The following options in the left navigation pane of the Icinga GUI are customized for the
Cloud CPE solution:
•
Dashboard
Copyright © 2018, Juniper Networks, Inc.
503
Contrail Service Orchestration User Guide
•
Network Services
•
Infrastructure
Other features in the Icinga GUI are not customized and appear in the standard Icinga
GUI.
Use this Service and Infrastructure Monitor documentation for information about using
the customized options in the GUI. See the Icinga documentation for a general overview
of the GUI and information about all non-customized features.
Related
Documentation
•
Monitoring Network Services on page 505
•
Monitoring VNFs Used in Network Services and the VMs That Host the VNFs on page 506
•
Monitoring Microservices on page 509
•
Monitoring Microservices and Their Host VMs on page 510
•
Monitoring Physical Servers on page 512
Accessing the Service and Infrastructure Monitor GUI
To access the GUI for Service and Infrastructure Monitor:
1.
Using a web browser, access the URL for Service and Infrastructure Monitor:
http://central-IP-Address:1947/icingaweb2
central-IP-Address—IP address of the server or VM that hosts the microservices for
the central point of presence (POP)
For example:
http://192.0.2.1:1947/icingaweb2
2. Log in with the username icinga and the password csoJuniper.
Related
Documentation
504
•
Service and Infrastructure Monitor Overview on page 503
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 52
Monitoring Activities in the Deployment
•
Monitoring Network Services on page 505
•
Monitoring VNFs Used in Network Services and the VMs That Host the VNFs on page 506
•
Monitoring Microservices on page 509
•
Monitoring Microservices and Their Host VMs on page 510
•
Monitoring Physical Servers on page 512
Monitoring Network Services
Service and Infrastructure Monitor displays information about network services running
in the deployment. This information is related to the Network Service Overview on the
dashboard, which displays information about component VNFs of network services and
the VMs in which the VNFs reside. In this view, however, the focus is on the actual network
service rather than its component VNFs and the VMs in which they reside.
To monitor network services:
1.
In the left navigation pane, click Network Services.
Service and Infrastructure Monitor displays an array of network services and monitoring
parameters.
2. In the array, hover over an entry to see additional information for the entry.
3. Click a colored square to see detailed information for the entry.
Table 263 on page 505 shows the meaning of the monitoring parameters for network
services.
Table 263: Parameters for Monitoring Network Services
Parameter
Meaning
Network Service
Name of the network service.
Copyright © 2018, Juniper Networks, Inc.
505
Contrail Service Orchestration User Guide
Table 263: Parameters for Monitoring Network Services (continued)
Parameter
Meaning
Network Service status
State of the network service and the time it entered that state.
•
Up—operational
•
Down—not operational
Num of Network Functions
Number of VNFs in the service chain.
Network Function
Number of network functions in a colored square that indicates the status of the instance.
When you click the square you see:
•
An entry for each VNF in the service chain.
•
The status of the host in which the VNF resides.
•
The IP address of the host in which the VNF resides.
•
The name of the VNF.
•
The result from the last ping the Icinga agent sent to the host, including any loss of packets,
and the round trip average (RTA) travel time.
Commands
Total number of commands issued to monitor the status of the network service since it became
operational.
Command Status
Result of the commands issued to monitor the status of the network service. When you click
the square you see:
Related
Documentation
•
•
A list of parameters for a specific network function and its host.
•
The state of the parameter and how long the parameter has been in that state.
•
Additional details about the state of the host.
Monitoring VNFs Used in Network Services and the VMs That Host the VNFs on page 506
Monitoring VNFs Used in Network Services and the VMs That Host the VNFs
On the dashboard, the Network Service Overview provides information about the VNFs
used in network services and the VMs that host those VNFs. You can also view information
about the component VNFs in a network service by clicking Monitor Network Services in
the left navigation bar.
To view information about VNFs used in network services and the VMs that host the
VNFs:
1.
In the left navigation bar, click Dashboard.
The dashboard appears, displaying several arrays of information.
2. (Optional) In the Network Services Overview array, hover over a colored square in the
array to see the latest event message for a specific parameter and host.
506
Copyright © 2018, Juniper Networks, Inc.
Chapter 52: Monitoring Activities in the Deployment
3. (Optional) In the Network Services Overview array, click a colored square to see
detailed information for a specific parameter and host.
4. (Optional) In the Network Services Overview array, click an IP address to view all the
event messages for a host.
5. (Optional) In the Network Services Overview array, click a parameter name to view
event messages on all hosts for that parameter.
See Table 264 on page 507 for information about the monitoring parameters used for
VNFs and the VMs that host them.
Table 264: Parameters for Monitoring VNFs and Their Host VMs
Parameter
Meaning
left_net_interface_input_pckt_rate
Rate of traffic entering the interface that transmits data to the host.
left_net_interface_output_pckt_rate
Rate of traffic leaving the interface that transmits data to the host.
left_net_interface_stats
State of the interface that transmits data to the network host.
right_net_interface1_stats
•
Up—operational
•
Down—not operational
State of the interface to which the host transmits data.
•
Up—operational
•
Down—not operational
right_net_interface_input_packet_rate
Rate of traffic entering the interface to which the host transmits data.
right_net_interface_output_packet_rate
Rate of traffic leaving the interface to which the host transmits data.
routing_engine_ctrlplane_memusage
Percentage of the Routing Engine’s control plane memory that VM is using.
routing_engine_load_average
Mean percentage of available load capacity used by the Routing Engine’s control
plane.
routing_engine_system_cpu
Percentage of available CPU capacity used by the Routing Engine’s control plane.
<VNF>_activesessions
Number of active sessions of the VNF compared to the maximum number of
sessions allowed.
<VNF>_failedsessions
Number of sessions of the VNF that VNF Manager failed to activate.
<VNF>_performance_session
Number of sessions added (ramp-up rate) for the last 60 seconds. The value does
not display the total number of sessions or the number of deleted sessions.
<VNF>_performance_spu
Services processing unit (SPU), percentage of CPU capacity that handles the data
plane for the security service.
Copyright © 2018, Juniper Networks, Inc.
507
Contrail Service Orchestration User Guide
Table 264: Parameters for Monitoring VNFs and Their Host VMs (continued)
Parameter
Meaning
check_flowd
Status of the forwarding process on the vSRX VNF.
•
Up—operational
•
Down—not operational
vsrx_activesessions
Number of active sessions of the vSRX VNF compared to the maximum number
of sessions allowed.
vsrx_failedsessions
Number of sessions of the VNF that VNF Manager failed to activate.
vsrx_system_uptime
Amount of time since the vSRX VNF last became operational.
system_memory
Percentage of available RAM used by the vSRX VNF.
left_net_interface_status
State of the interface that transmits data to the network host.
right_net_interface_status
•
Up—operational
•
Down—not operational
State of the interface to which the host transmits data.
•
Up—operational
•
Down—not operational
right_net_interface_input_pckt_rate
Rate of traffic entering the interface to which the host transmits data.
right_net_interface_output_pckt_rate
Rate of traffic leaving the interface to which the host transmits data.
vsrx_nat_config
State of the vSRX NAT VNF.
vsrx_firewall_config
vsrx_utm_config
vsrx_dpi_config
508
•
Enabled—operational
•
Disabled—not operational
State of the vSRX firewall VNF.
•
Enabled—operational
•
Disabled—not operational
State of the vSRX UTM VNF.
•
Enabled—operational
•
Disabled—not operational
State of the DPI firewall VNF.
•
Enabled—operational
•
Disabled—not operational
Copyright © 2018, Juniper Networks, Inc.
Chapter 52: Monitoring Activities in the Deployment
Table 264: Parameters for Monitoring VNFs and Their Host VMs (continued)
Parameter
Meaning
iptable_status
State of the LxCIPtable VNF.
•
Enabled—operational
•
Disabled—not operational
iptable_system_uptime
Amount of time since the LxCIPtable VNF last became operational
cisco_left_interface_status
State of the interface that transmits data to the network host for the CSR-1000V
VNF.
cisco_right_interface_status
•
Up—operational
•
Down—not operational
State of the interface to which the host transmits data for the CSR-1000V VNF.
•
Up—operational
•
Down—not operational
cisco_left_input_packets
Rate of traffic entering the interface that transmits data to the host for the
CSR-1000V VNF.
cisco_left_output_packets
Rate of traffic leaving the interface that transmits data to the host for the
CSR-1000V VNF.
cisco_right_input_packets
Rate of traffic entering the interface to which the host transmits data for the
CSR-1000V VNF.
cisco_right_output_packets
Rate of traffic leaving the interface to which the host transmits data for the
CSR-1000V VNF.
cisco_system-uptime
Amount of time since the Cisco CSR-1000V VNF last became operational.
cisco_activesessions
Number of active sessions of the Cisco CSR-1000V VNF compared to the maximum
number of sessions allowed.
Related
Documentation
•
Monitoring Network Services on page 505
Monitoring Microservices
Service and Infrastructure Monitor displays information about microservices running in
each Cloud CPE solution implementation. This information is related to the CSP
Microservervice Overview on the dashboard, which displays information about the VMs
in which the microservices reside. In this view, however, the focus is on the actual
microservice srather than the VMs in which they reside.
To monitor microservices:
1.
In the left navigation pane, select Infrastructure > CSP Microservices.
Copyright © 2018, Juniper Networks, Inc.
509
Contrail Service Orchestration User Guide
Service and Infrastructure Monitor displays an array of CSP microservices and
monitoring parameters.
2. (Optional) In the array, hover over an entry to see additional information for the entry.
3. (Optional) Click a colored square to see detailed information for the entry.
Table 265 on page 510 shows the monitoring parameters for microservices.
Table 265: Parameters for Monitoring Microservices
Parameter
Meaning
CSP Microservice
Name of the microservice.
Microservice status
State of the microservice and the time it entered that state.
•
Up—operational
•
Down—not operational
Number of Instances
Number of instances of the microservice.
Instance Status
Number of microservices in a colored square that indicates the status of the instance. When
you click the square you see:
•
The status of the host in which the micorservice resides.
•
The IP address of the host in which the microservice resides.
•
The name of the microservice.
•
The result from the last ping the Icinga agent sent to the host, including any loss of packets,
and the round trip average (RTA) travel time.
Monitor Commands
Total number of commands issued to monitor the status of the microservice since it became
operational.
Command Status
Result of the commands issued to monitor the status of the microservice. When you click the
square you see:
Related
Documentation
•
•
A list of parameters for a specific host.
•
The state of the parameter and how long the parameter has been in that state.
•
Additional details about the state of the host.
Monitoring Microservices and Their Host VMs on page 510
Monitoring Microservices and Their Host VMs
On the dashboard, the CSP Microservices Overview provides information about the VMs
that host microservices. The focus of the CSP Microservices Overview is the VMs that
host the microservices.
510
Copyright © 2018, Juniper Networks, Inc.
Chapter 52: Monitoring Activities in the Deployment
To monitor microservices and their host VMs:
1.
In the left navigation bar, click Dashboard.
The dashboard appears, displaying several arrays of information.
2. (Optional) In the CSP Microservices Overview array, hover over a colored square in
the array to see the latest event message for a specific parameter and host.
3. (Optional) In the CSP Microservices Overview array, click a colored square to see
detailed information for a specific parameter and host.
4. (Optional) In the CSP Microservices Overview array, click an IP address to view all the
event messages for a host.
5. (Optional) In the CSP Microservices Overview array, click a parameter name to view
event messages on all hosts for that parameter.
See Table 266 on page 511 for information about the monitoring parameters used for
VNFs and the VMs that host them.
Table 266: Parameters for Monitoring VNFs and Their Host VMs
Parameter
Meaning
check cpu usage
Percentage of unused CPU capacity
check disk IO
Status of host’s input and output mechanisms for storage
check disk usage
Available storage on the VM that hosts the microservice
check elasticsearch
Number of processes associated with the database
check load average
Measure of load compared to specified values for warning and critical states
check memory usage
Percentage of RAM and swap memory used
check network usage
Percentage of network resources used
check nsdui
Availability of the Network Service Designer application
check open files
Number of open files compared to specified values for warning and critical
states
check paging stats
Amount of data moved from RAM to swap memory compared to specified
values for warning and critical states
check socket usage
Number of software connections compared to specified values for warning
and critical states
Copyright © 2018, Juniper Networks, Inc.
511
Contrail Service Orchestration User Guide
Table 266: Parameters for Monitoring VNFs and Their Host VMs (continued)
Parameter
Meaning
check_contrail_api
Number of Contrail API processes
check_contrail_config
Number of Contrail configuration processes
check_contrail_control
Number of Contrail control processes
check_contrail_database
Number of Contrail database processes
check_contrail_vrouter
Number of Contrail Vrouter processes
check_contrail_vrouter_agent
Number of Contrail Vrouter agent processes
check_contrail_web
Number of Contrail web core processes
check_ifmap_server
Number of Interface for Metadata Access Points (IF-MAP) processes
check_nova_api
Number of Nova API processes
Related
Documentation
•
Monitoring Microservices on page 509
Monitoring Physical Servers
Service and Infrastructure Monitor tracks the state of each physical server on which the
Icinga agent is installed.
To monitor physical servers:
1.
In the left navigation bar, click select Infrastructure > CSP Bare Metal.
Service and Infrastructure Monitor displays an array of physical servers and monitoring
parameters.
2. In the array, hover over an entry to see additional information for the entry.
3. Click a colored square to see detailed information for the entry.
See Table 267 on page 513 for information about the parameters.
512
Copyright © 2018, Juniper Networks, Inc.
Chapter 52: Monitoring Activities in the Deployment
Table 267: Parameters for Monitoring Physical Servers
Parameters
Meaning
Group Status
State of the server cluster and the time when it entered that state.
•
Up—Operational
•
Down—Not operational
Number of Servers
Number of servers in the server cluster.
Server Status
Number of servers in a colored square that indicates the status of the servers. When you click
the square you see:
•
An entry for each server in the cluster.
•
The status of the server.
•
The IP address of the server.
•
The hostname of the server.
•
The result from the last ping the Icinga agent sent to the server, including any loss of packets,
and the round trip average (RTA) travel time.
Commands
Total number of commands issued to monitor the status of the server since it became operational.
Command Status
Result of the commands issued to monitor the status of the server. When you click the square
you see:
Related
Documentation
•
•
A list of parameters for a specific server.
•
The state of the parameter and how long the parameter has been in that state.
•
Additional details about the state of the server.
Service and Infrastructure Monitor Overview on page 503
Copyright © 2018, Juniper Networks, Inc.
513
Contrail Service Orchestration User Guide
514
Copyright © 2018, Juniper Networks, Inc.
Download PDF