Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

View and Edit Tenant Settings

 

Users with a tenant administrator role can view and modify the tenant settings that are configured on the Administration Portal, while users with tenant operator role can only view the tenant settings.

Note

You cannot add or remove services (configured in Administration Portal) for the tenant.

To modify the settings configured for a tenant:

  1. If the Welcome to CSO Release-Number page is displayed after you log in, click Review Settings. Alternatively, select Administration > Tenant Settings.

    The Tenant Settings page appears.

  2. (Optional) Click the Expand icon or the Collapse icon on the top-right corner of the page to expand or collapse the different sections displayed.
  3. Modify the tenant settings as explained in Table 1.
  4. Click Save to save the changes.

    A tenant edit job is triggered and a confirmation message, indicating that a tenant edit job is created successfully, appears on the Tenant Settings page.

  5. (Optional) You can click the job name in the message to view details of the job (including job status, start date and time, and end date and time) on the Update tenant settings Details page. Alternatively, you can view the status of the job on the Jobs (Monitor > Jobs) page.

    If the job is completed successfully, a confirmation message appears on top of the Tenant Settings page.

Table 1: Fields on the Tenant Settings Page

Field

Description

Tenant Capabilities (Services)

Services

Displays the services supported for the tenant You cannot modify this setting.

SD-WAN

Next Gen Firewall

Password Policy

 

SD-WAN

Next Gen Firewall

Password Expiration Days

Specify the duration (in days) after which the password expires and must be changed.

Range: 1 through 365.

Default: 180 days.

Note: The modifications are applicable only to new users and users whose password has expired.

SD-WAN

Next Gen Firewall

SSL Settings

Note: You can modify this setting only if you have not added any SD-WAN sites for the tenant.

SD-WAN

Default SSL Proxy Profile

Click the toggle button to enable or disable a default SSL proxy profile for the tenant.

If you enable this option, the following items are created:

  • A default root certificate with the certificate content specified (in the Root Certificate field)

  • A default SSL proxy profile

  • A default SSL proxy profile intent that references the default profile

Note: You use this option to create a tenant-wide default profile; enabling or disabling this option does not mean that SSL is enabled or disabled.

If you enable this option, you must add a root certificate.

SD-WAN

Root Certificate

Note: This field is displayed only if you enabled the default SSL proxy profile.

You can add a root certificate (X.509 ASCII format) by importing the certificate content from a file or by pasting the certificate content:

  • To import the certificate content directly from a file:

    1. Click Browse.

      The File Upload dialog box appears.

    2. Select a file and click Open.

      The content of the certificate file is displayed in the Root Certificate field.

  • Copy the certificate content from a file and paste it in the text box.

After the tenant is successfully added, a default root certificate, a default SSL proxy profile, and a default SSL proxy profile intent are created.

Note:

  • The root certificate must contain both the certificate content and the private key.

  • For full-fledged certificate operations, such as certificates that need a passphrase, or that have RSA private keys, you must use the Certificates page (Administration > Certificates) to import the certificates and install on one or more sites.

SD-WAN

VPN Authentication

 

SD-WAN

Authentication Type

Note:

  • If PKI Certificate was configured as the authentication type, you can modify the PKI properties (CA Server URL, Password, CRL Server, and Auto Renew) even after you add sites for the tenant.

  • If Preshared Key was configured as the authentication type, then you can modify the authentication type only if you have not added SD-WAN sites for the tenant.

Select the VPN authentication method to establish a secure IPsec tunnel:

  • Preshared Key, which means that CSO establishes IPsec tunnels using keys.

  • PKI Certificate, which means that CSO establishes IPsec tunnels using public key infrastructure (PKI) certificates.

    If you select this option, you can configure the following:

    • CA Server URL—Specify the Certificate Authority (CA) Server URL. For example, http://CA-Server-IP-Address/certsrv/mscep/

      mscep.dll/pkiclient.exe.

    • Password—Specify the password for the CA server. This field is optional.

    • CRL Server URL—Specify the certificate revocation list (CRL) server URL. For example, http://Revocation-List-Server-IP-Address/certservices/abc.crl. CSO retrieves the list of revoked certificates from the CRL server.

    • Auto Renew CA Certificates—Click the toggle button to enable or disable automatic renewal of certificates.

      If you enable this option, certificates are automatically renewed for all sites in the tenant.

      If you disable this option, certificates must be manually renewed.

      Note: If the certificate expires before the renewal, CSO might not be able to reach the device.

    • Renew before expiry—If you enabled automatic renewal, select the period (3 days, 1 week, 2 weeks, or 1 month) before the expiration date when the certificates get automatically renewed.

      Note: You can also change the duration in the VPN Authentication page in Customer Portal (Administration > Certificate Management > VPN Authentication) page.

SD-WAN

Overlay Tunnel Encryption

Note: You can modify this setting only if you have not added any SD-WAN sites for the tenant.

SD-WAN

Encryption Type

For security reasons, all data that passes through the VPN tunnel must be encrypted. Select the encryption type:

  • 3DES-CBC—Triple Data Encryption Standard with Cipher-Block Chaining (CBC) algorithm.

  • AES-128-CBC—128-bit Advanced Encryption Standard with CBC algorithm.

  • AES-128-GCM—128-bit Advanced Encryption Standard with Galois/Counter Mode (GCM) algorithm.

  • AES-256-CBC— 256-bit Advanced Encryption Standard with CBC algorithm.

  • AES-256-GCM—256-bit Advanced Encryption Standard with GCM algorithm.

The default encryption type is AES-256-GCM.

SD-WAN

Network Segmentation

Note: You can modify this setting only if you have not added any SD-WAN sites for the tenant.

SD-WAN

Network Segmentation

Click the toggle button to disable network segmentation on the tenant.

SD-WAN

Dynamic Mesh

Note: You can modify these settings even after you add sites for the tenant.

SD-WAN

Threshold for Creating a Tunnel

 

SD-WAN

Number of Sessions

Specify the maximum number of sessions closed (for a time duration of 2 minutes) between two spoke sites.

The dynamic mesh tunnel is created between two spoke sites if the number of sessions closed (for a time duration of 2 minutes) is greater than or equal to the value that you specified.

The default threshold value (the number of sessions for 2 minutes) is 5.

SD-WAN

Threshold for Deleting a Tunnel

 

SD-WAN

Number of Sessions

Specify the minimum number of sessions closed (for a time duration of 15 minutes) between two spoke sites.

The dynamic mesh tunnel is deleted between two spoke sites if the number of sessions closed (for a time duration of 15 minutes) is lesser than or equal to the value that you specified.

The default threshold value (the number of sessions for 15 minutes) is 2.

SD-WAN

Max Dynamic Mesh Tunnels

 

SD-WAN

Max tunnels per CSO

Displays the maximum number of dynamic mesh tunnels that can be created in CSO. The total number of dynamic mesh tunnels that can be created by all tenants in CSO is limited to 125000.

You cannot modify this field.

SD-WAN

Max tunnels per tenant

Specify the maximum number of dynamic mesh tunnels that the tenant can create.

Range: 1 through 50,000.

SD-WAN

Dynamic Mesh

Click the toggle button to disable or enable dynamic meshing between sites in the tenant.

SD-WAN

Cloud Breakout Settings

Note: You can modify these settings even after you add sites for the tenant.

SD-WAN

Customer Domain Name

Enter the domain name of the tenant. The domain name is used in cloud breakout profiles to generate the fully qualified domain name (FQDN). The cloud security providers use the FQDN to identify the IPsec tunnels.

SD-WAN

Tenant-Specific Attributes

Note: You can modify these settings even after you add sites for a tenant.

If you have set up a third-party provider edge (PE) device by using software other than CSO, then configure settings on that router by specifying custom parameters and its corresponding values.

You can modify existing attributes or add attributes.

  • To add an attribute:

    1. Click the add (+) icon.

      An editable row appears inline in the table.

    2. Specify any information about the site that you want to pass to a third-party router; for example, location.
    3. Specify a value for the information about the site that you want to pass to a third-party device; for example, Chicago.
    4. Click (check mark) to save your changes.

      The prefix that you entered is displayed in the table.

  • To modify an attribute, select a row, click the edit (pencil) icon, and modify the name and value.

SD-WAN

Next Gen Firewall

Related Documentation