Juniper NETWORKS PTX Series Paragon Automation 2.1.0 Onboard Device

Specifications:

• Product Name: Juniper Paragon Automation 2.1.0
• Supported Network Devices: ACX Series, MX Series, PTX Series, Cisco Systems devices
• Compatibility: Works with Super User or Network Admin role in Paragon Automation

Product Usage Instructions:

1. Step 1: Begin

Supported Network Devices:

1. You can onboard ACX Series, MX Series, PTX Series, and Cisco Systems devices to Paragon Automation for management.

Install the Device:

1. Follow the hardware documentation to unbox, mount, and power on the device. Refer to model-specific Hardware Guide for details. For devices from other vendors, follow respective vendor instructions.

Prerequisites:

1. Ensure Paragon Automation is installed.
2. Superuser in Paragon Automation is set up.

Step 2: Up and Running

Onboard a Juniper Device:

1. Navigate to Inventory > Network Inventory on Paragon Automation GUI.
2. Click Add Device on Routers tab.
3. Click Adopt Router and select the site where the device is installed.
4. Copy the CLI commands provided for SSH configuration.
5. Access the device via SSH, paste commands, and commit configuration.
6. Move device to In Service for service provisioning.

Onboard a Device by Using ZTP:

Prerequisites:

1. Create an onboarding script (Python or SLAX) with outbound SSH configuration statements.
2. Refer to API Docs in the Paragon Automation GUI Help menu for using the getOutboundSshCommand REST API.

SUMMARY

• This guide walks you through the steps to onboard a router (both Juniper and non-Juniper) to Paragon Automation, so that the device can be managed, provisioned, and monitored through automated workflows.
• Use this guide if you are a user with the Super User or Network Admin role in Paragon Automation.

Supported Network Devices

• You can onboard ACX Series, MX Series, PTX Series, and Cisco Systems devices listed in Supported Hardware to Paragon Automation and manage them.

Install the Device

• Follow the instructions in the hardware documentation to unbox the device, mount it on a rack, and power on the device. For details about installing a device, follow the instructions in the model-specific Hardware Guide on the

Supported Hardwar.

• To install devices from other vendors, follow the instructions from the respective vendors.

Prerequisites

Ensure that the following prerequisites are fulfilled before you onboard a device to Paragon Automation:

1. Paragon Automation is installed. See Paragon Automation Installation Guide.
2. A superuser in Paragon Automation has:
   1. a. Created an organization and a site to which the device can be onboarded.
   2. b. Added one or more users with the Network Admin role.
   3. For more information, see Paragon Automation Quick Start Guide.
3. A superuser or a network administrator has:
   1. In Paragon Automation, created network resource pools, device and interface profiles, and a network implementation plan.
   2. On the device:
   3. Checked if a firewall exists between Paragon Automation and the device. If a firewall exists, the firewall is configured to allow outbound access on TCP ports 443, 2200, 6800, 4189, and 32,767.
   4. Configured static routes on the device to reach Paragon Automation. The following is an example of a command to configure static route: user@device# set routing-options static route 0.0.0.0/0 next-hop Gateway-IP-address
   5. Configured a DNS server on the device to resolve domain names or allow the device to access an external DNS server (for example, 8.8.8.8).
   6. Configured an NTP server on the device.

Step 2: Up and Running

Onboard a Juniper Device

To onboard a Juniper device to Paragon Automation, you must commit the outbound SSH command to connect with Paragon Automation, on the device. This method of onboarding a device by committing the outbound SSH commands is also referred to as “Adopting a Device”.

You can onboard a Juniper device to Paragon Automation by using any of the following methods:

• Onboard a Juniper device.
• Onboard a device by using ZTP.

To onboard a non-Juniper device.

• NOTE: Among non-Juniper devices, only Cisco Systems devices are supported in this release. For a list of supported Cisco Systems devices.

Onboard a Juniper Device

• Paragon Automation provides the outbound SSH configuration that you can commit on the device to enable the device to connect with Paragon Automation.
• To onboard a Juniper device by committing the SSH configuration:

1. Navigate to Inventory > Network Inventory on the Paragon Automation GUI.
2. On the Routers tab, click Add Device.
3. On the Add Devices click Adopt Router.
4. Click the Select Site drop-down list to select the site where the device is installed.
   1. The outbound SSH configuration that is required for the device to establish a connection with Paragon Automation is displayed.
5. Click Copy Cli Commands to copy the CLI commands under the Apply the following CLI commands to adopt a Juniper Device if it meets the requirements section to clipboard and close OK.
6. Access the device by using SSH and log in to the device in configuration mode.
7. Paste the contents of the clipboard and commit the configuration on the device.
   • The device connects to Paragon Automation and can be managed from Paragon Automation.
   • After you adopt a device, you can verify connectivity status by running the following command on the device: user@host> show system connections |match 2200 tcp 0 0 ip-address:38284 ip-address:2200 ESTABLISHED
   • 6692/sshd: jcloud-stcp 0 0 <varname>ip-address</varname>:38284 <varname>ip-address</varname>:2200 ESTABLISHED 6692/sshd: Established in the output indicates that the device is connected with Paragon Automation.

• After the device is onboarded, the status of the device on the Inventory  (Inventory > Devices > Network Inventory) shows as Connected, You can now start managing the device. See Device Management Workflow.
• Also, you can move the device to In Service after onboarding so that services can be provisioned on the device. See Approve a Device for Service.
• Onboard a Device by Using ZTP

Prerequisites:

• (Recommended) A network implementation plan should be configured for the device.
• The device should be zeroized or in its factory-default settings.
• A TFTP server reachable from the device.
• A DHCP server reachable from the device, with the ability to respond to the device with the TFTP server and configuration file (Python or SLAX script) name.

To onboard a device by using ZTP:

1. Create an onboarding script (in Python or SLAX) by saving the outbound SSH configuration statements in a file. You can obtain the outbound SSH configuration statements by using the getOutboundSshCommand REST API.
   1. See API Docs under the Help menu of the Paragon Automation GUI for information about using the API.
2. Upload the onboarding script to the TFTP server.
3. Configure the DHCP server with the onboarding script filename and path in the TFTP server.
4. Install the device, connect it to the network, and power it on the device.
   1. For information about installing the device, see the respective Hardware guide at https://www.juniper.net/documentation/.
   2. After the device is powered on:
      1. a. The factory default settings in the device trigger a built-in script (ztp.py) which obtains the IP addresses for the management interface, default gateway, DNS server, TFTP server, and the path of the onboarding script (Python or SLAX) on the TFTP server, from the DHCP server.
      2. b. The device configures its management IP address, static default route, and the DNS server address, based on the values obtained from the DHCP network.
      3. c. The device downloads the onboarding script, based on the values from the DHCP network, and executes it, resulting in the onboarding configuration statements being committed.
      4. d. The device opens an outbound SSH session with Paragon Automation based on the committed onboarding configuration.
5. After the device connects with Paragon Automation, Paragon Automation configures management and telemetry parameters, including NMI by using NETCONF. Paragon Automation also uses NETCONF to configure the interfaces and protocols based on the network implementation plan associated with the device.
6. Log in to the Paragon Automation GUI and view the status of device onboarding on the Inventory (Inventory > Devices > Network Inventory). After the device status changes to Connected, you can start managing the device. See Device Management Workflow for details.

• Sample Onboarding Script for Committing SSH Configuration on a Device

The following is a sample of the onboarding script that is downloaded from the TFTP server to the device:

Onboard a non-Juniper Device

NOTE: In this release, you can onboard a non-Juniper device by using REST APIs. Onboarding a non-Juniper device by using GUI is a Beta feature and may not work as expected. See Help > API Docs for information about Paragon Automation REST APIs.

To onboard a non-Juniper device:

1. Navigate to Inventory > Network Inventory on the Paragon Automation GUI.
2. On the Routers tab, click Add Device.
3. On the Add Devices click Adopt a Device.
4. In the Adopt a Device section, enter the device details—Device name, IPv4 address and port, site, vendor, model, operating system, connection timeout (in minutes), and retry delay (in minutes).
5. Under Authorization, click:
   1. Upload a Certificate to use TLS certificates to authenticate the device.
      1. If you use the Upload a Certificate option, upload:
         1. TLS certificate for the device in Certificate.
         2. Certificate key for the device in Key Certificate.
         3. Root certificate of the Certificate Authority (CA) in the Certificate Authority.
         4. Credentials to authenticate by using username and password.
      2. If you use the Credentials option, enter the username and password to authenticate the device.
6. Click OK.
   1. Paragon Automation connects with the device. You can now manage the device by using Paragon Automation.

After the device connects with Paragon Automation, you can view the details of the device on the Inventory (Inventory > Devices > Network Inventory).

Step 3: Keep Going

What’s Next

• Now that you’ve onboarded the device, here are some things you might want to do next.

General Information

(Continued)

Learn with Videos
Our video library continues to grow! Here are some great videos and training resources that will help you expand your knowledge of Juniper Network Products.

• Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
• All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners.
• Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
• Copyright © 2025 Juniper Networks, Inc. All rights reserved.

FAQ

Q: What devices can be managed with Juniper Paragon Automation?

A: Supported devices include ACX Series, MX Series, PTX Series, and select Cisco Systems devices.

Q: What are the prerequisites for onboarding a device using ZTP?

A: Prerequisites include creating an onboarding script with outbound SSH configurations and utilizing the getOutboundSshCommand REST API.

Documents / Resources

Juniper NETWORKS PTX Series Paragon Automation 2.1.0 Onboard Device [pdf] User Guide ACX Series, MX Series, PTX Series, PTX Series Paragon Automation 2.1.0 Onboard Device, Paragon Automation 2.1.0 Onboard Device, Automation 2.1.0 Onboard Device, Onboard Device

References

• User Manual