Self-provision / Configuration Synchronization
- What is meant by self-provision?
- What does configuration synchronization mean?
- Which protocols are used and which is the security level in the communications?
- How is ensured that the self-provision is carried out at the specified location?
- How can be restricted the use of a Branch Edge in an unsure access network (theft of equipment and subsequent installation in an unauthorized internet access?
A: The process whereby a factory setting device (Branch Edge or Datacenter Edge), is able to receive and apply their settings automatically when is connected to the network, without any local action done on the device. This equipment contacts with CNM, identifies itself, and receives its configuration in a secure way.
A: Configuration Synchronization is the process in which devices automatically download their configuration from CNM when anything has been changed in the data model. It could be said that the self-provision is a special case of it, since it is occurring the 1st time that the device is installed after leaving the factory.
A: HTTPS (SSL/TLS) is used. CNM server is identified by a digital certificate to avoid spoofing and information is authenticated and encrypted in both directions. Optionally HTTP can be used if encryption is not desired or you cannot use port 443 (HTTP uses port 80).
A: This is an important issue if 'public' access to internet are used for a corporate SDWAN network, since a malicious installer could use a fake internet access to gain access to the internal network. To avoid this, it is possible to disable automatic self-provision of devices in CNM, and only when CNM manager verifies that installation is safe using any method (for example, confirming by phone with the remote branch staff), and once secured, just to enable in CNM the self-provision of the device by clicking on the interface.
Q: How can be restricted the use of a Branch Edge in an unsure access network (theft of equipment and subsequent installation in an unauthorized internet access)?
A: There are currently several mechanisms to avoid this case. One possibility is to detect if a remote point is disconnected more than certain time (which could mean that the remote device is being transferred to another place), and disable connectivity to the network; in case of false alarm, it could be activated by a manual intervention in CNM.