Ambassador Insights
, Regular Visitor
Ambassador Insights
Contrail Service Orchestration (CSO)
Feb 24, 2020

Juniper Networks Contrail SD-WAN, SD-LAN, and NGFW management solutions offer automated branch connectivity while improving network service delivery and agility. CSO is a multi-tenant platform that manages physical and virtual network devices, creates and manages Juniper Networks and third-party virtualized network functions (VNFs), and uses those elements to deploy network solutions for both enterprises and service providers (SPs) and their customers. CSO multi-tenancy provides security and tenant isolation that keeps the objects and users belonging to one tenant or operating company (OpCo) from seeing or interacting with those of another tenant or OpCo.


The CSO platform itself can be deployed in one of two ways:

  • As a downloadable, on-premise platform in which you (or your company) become the SP administrator (cspadmin user). In an on-premise deployment, the cspadmin user has complete read-write management access and responsibility for the CSO micro-services platforms, orchestration and management infrastructure, and all underlay networks needed to allow access to CSO and its solutions.
  • As a software as a service (SaaS) platform, hosted in a public cloud, to which tenants and OpCos subscribe. In an SaaS deployment, Juniper Networks manages the necessary micro-services infrastructure, the secure orchestration and management (OAM) infrastructure, and underlay networks needed to allow access to CSO and its solutions.


I've spent the last few weeks' evaluating Juniper Networks latest release of CSO - version 5.1.1.  Although this is a new product to me I've found it extremely easy to learn and navigate my way around the platform.


After setting up my subscription on Juniper's cloud platform I was up and running without needing any servers, appliances or VM’s.  I've built my lab using various flavours of SRX, NFX and vSRX to get a good feel for how they may differ.  Within 3 hours I had on boarded four SRX's, one NFX with vSRX and two EX4300 switches.  My lab was up and running in no time at all thanks to the ease of Zero Touch Provisioning built into CSO.  The devices were configured with IPSec tunnels, routing protocols and hardened to vendor best practices amongst other needed configuration.


Entering configuration mode on the devices is prohibited by default - after all CSO is now the orchestration and automation tool.  The days of inconsistent and incorrect configuration appear to be coming to an end as CSO configured my devices to perfection.


On login to the system you are presented with a dashboard - something you can customise to fit your own requirements.  The easy to use drag and drop widgets make it quick and easy to setup your very own personalised dashboard.  Various firewall and threat widgets can be used.  Different departments within your organisation can have different dashboards showing what is meaningful to them.


Contrail 5.1.1 DashboardContrail 5.1.1 Dashboard

Moving down the menu options to the Monitor tab - this is where I spend most of my time now that the lab build is complete. During the on boarding process you can enter the postal code/zip code of the site and Contrail will position them perfectly for you on the topology map. The topology map shows site status, link status and allows you to drill down for more specific information. Depending on the size of your network you can have a full mesh topology or regional hubs in a full mesh with spoke sites connecting to the relevant regional hubs. Although all my devices are connected in the same lab I've chosen to give them postal codes around the UK giving me the below topology.

My topology is a full mesh of dual IPSec tunnels. One IPSec tunnel is MPLS facing while the other is Internet facing. This allows me to route traffic based on application or SLA requirements.


Contrail 5.1.1 MapContrail 5.1.1 Map

Link Switch Events - monitor SLA's with your Service Providers or simply identify any issues you may have with link. A great view for your Operations Team.


Contrail 5.1.1 Link Switch EventsContrail 5.1.1 Link Switch Events

Security Events - you can view a brief summary of all the events in your network. At the centre of the page is critical information, including total number of events, viruses found, total number of interfaces that are down, number of attacks, CPU spikes, and system reboots. This data is refreshed automatically based on the selected time range. At the bottom of the page is a swim lane view of different events that are happening at a specific time. The events include firewall, web filtering, VPN, content filtering, antispam, antivirus, and IPS. Each event is color‐coded, with darker shades representing a higher level of activity. Each tab provides deep information like type, and number of events occurring at that specific time.


Contrail 5.1.1 Security EventsContrail 5.1.1 Security Events

Application SLA Performance - this will help you quickly identify which sites are having performance issues and with which applications. View a graphical representation of the performance of the SLA parameters such as round-trip time (RTT), latency, packet loss, and jitter for the specified time range for MPLS and Internet WAN links for all SLA profiles.


Contrail 5.1.1 Application SLAContrail 5.1.1 Application SLA

You can drill down into a more detailed view of the sites to analyse specific applications that are not meeting SLA. Below I'm looking at the latency metric for srxbranch1.


Contrail 5.1.1 Application SLA per siteContrail 5.1.1 Application SLA per site

Application Visibility - You can use this page to view information about bandwidth consumption, session establishment, and the risks associated with your applications. Analysing your network applications yields useful security management information, such as abnormal applications that can lead to data loss, heavy bandwidth usage, time-consuming applications, and personal applications that can elevate business risks.


The chart view is a brief summary of the top 50 applications consuming the maximum bandwidth in your network. The data can be presented graphically as a bubble graph, heat map, or a zoom in bubble graph. The data is refreshed automatically based on the selected time range. You can also use the Custom button to set a custom time range.

You can hover over your applications to view critical information such as total number of sessions, total number of blocks, category, bandwidth consumed, risk levels, and characteristics. You can also view the top five users accessing your application.


Contrail 5.1.1 Application Visibility Chart ViewContrail 5.1.1 Application Visibility Chart View

The Grid View gives you comprehensive details about applications. You can view top users by volume, top applications by volume, top category by volume, top characteristics by volume, and sessions by risk. You can also view the data in a tabular format that includes sortable columns. You can sort the applications in ascending or descending order based on application name, risk level, and so on.


Contrail 5.1.1 Application Visibility Grid ViewContrail 5.1.1 Application Visibility Grid View

User Visibility - In the same way you can analyse application visibility the same feature exists for users. Quickly identify heavy or rogue users.


Contrail 5.1.1 User VisibilityContrail 5.1.1 User Visibility

Threat Map (Live) - Use this page to visualise incoming and outgoing threats between geographic regions. You can view blocked and allowed threat events based on feeds from intrusion prevention systems (IPS), antivirus, and antispam engines, unsuccessful login attempts, and screen options. You can also click a specific geographical location to view the event count and the top five inbound and outbound IP addresses.


Contrail 5.1.1 Threat MapContrail 5.1.1 Threat Map

Moving down the menu to the Resources tab - this is where you can Zero Touch Provision new sites or add LAN switches. Zero Touch Provisioning (ZTP) enables you to configure and provision devices automatically, and therefore reduces the manual time required for adding devices to a network.

Site Management - see a complete list of the devices in your network. Drill down into each site for insights into the WAN and LAN. View Latency, Packet Loss, Delay and Jitter. View Link Metrics, Top Applications and Link Utilisation for each IPSec tunnel.


Contrail 5.1.1 WAN InsightsContrail 5.1.1 WAN Insights

LAN - Drill down into the LAN switches associated with each site to open up insights into switch and port metrics. Provision new ports and enable services with the easy to use configuration templates.


Contrail 5.1.1 SD-LANContrail 5.1.1 SD-LAN

Templates - add new templates to configure sites using CSO's easy ZTP process. Use Juniper standard templates or custom build your own. Answer a few simple questions about the WAN interfaces - are the IP addresses static (like MPLS) or if you are connected to the internet you may wish to select DHCP. Complete the template and after answering the relevant questions the device is ready to be on boarded by CSO.


Contrail 5.1.1 Site TemplateContrail 5.1.1 Site Template

It is worth noting for VPN Authentication Pre-shared Key and PKI Certificate options are available. For Overlay IPSec encryption, below are the available options.


Contrail 5.1.1 Overlay Tunnel EncryptionContrail 5.1.1 Overlay Tunnel Encryption

Moving down the menu options next I take a look at the Configuration tab. SD-WAN policy intents help in optimum utilisation of the WAN links and efficient load distribution of traffic. SD-WAN policy intents are applied to source endpoints (such as sites and departments) and destination endpoints (applications or application groups) and can be defined for site-to-site traffic (by using SLA profiles) or for breakout traffic (by using breakout profiles).


You can use the SD-WAN Policy page to view, create, edit, and deploy SD-WAN policy intents. SD-WAN policy intents use SLA profiles for traffic management. SD-WAN policies help in optimum utilisation of the WAN links and efficient distribution of traffic. Every tenant has an SD-WAN policy and intents are created in the SD-WAN policy.


Contrail 5.1.1 SD-WAN PolicyContrail 5.1.1 SD-WAN Policy

SLA Based Traffic Steering Profiles - here you can define under what conditions a link will no longer be used, this ensures application performance to end users.


Contrail 5.1.1 SLA Based Steering ProfilesContrail 5.1.1 SLA Based Steering Profiles

Intent Based Firewall - Contrail Service Orchestration (CSO) provides the ability to create, modify, and delete firewall policy intents associated with a firewall policy. Firewall policies are presented as intent-based policies. A firewall policy intent controls transit traffic within a context that is derived out of the end-points defined in the intent. Intent-based firewall policies can incorporate both transport layer (Layer 4) and application layer (Layer 7) firewall constructs in a single intent. The underlying system, automatically analyses the intent, translates them into the set of rules the devices understand. The choice of sequence and the assignment happens implicitly based on the endpoints in the intent definition. The intent consist of source and destination endpoints. Endpoints could be applications (L7), sites or site groups, IP address/address-groups, services, or departments.


Contrail 5.1.1 Intent Based FirewallContrail 5.1.1 Intent Based Firewall

Reports - detailed reports can be produced in seconds and e-mailed to your customers.


Contrail 5.1.1 ReportsContrail 5.1.1 Reports

That pretty much concludes my lab experience with CSO so far. I would just like to point out this is just scratching the surface of the platform. It's also worth noting that CSO integrates with Mist and AWS - something I'm going to take a look at next.


Contrail 5.1.1 AWS IntegrationContrail 5.1.1 AWS Integration

I would recommend watching YouTube video 15 features in 15 minutes. 


Finally - I would thoroughly recommend the formal training course to further enhance your learning experience of CSO 


SD-WAN with Contrail Service OrchestrationSD-WAN with Contrail Service Orchestration

Fujitsu Customer Solutions Architect
Juniper Networks Ambassador