Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Add a Tenant


In CSO, a tenant is a logical representation of a customer. Tenants enable the separation and isolation of resources (such as sites) and traffic of different customers from one another.

To add a tenant:

  1. From the CSO menu, select Tenants.

    The Tenants page appears.

  2. Click the Add (+) icon.

    The Add Tenants wizard appears, displaying the General settings to be configured.


    Fields marked with an asterisk (*) are mandatory.

  3. Configure the General settings as explained in Table 1, and click Next.

    You are taken to the Deployment Info section of the wizard.

  4. Configure the Deployment Info settings as explained in Table 2, and click Next.

    You are taken to the Tenant Properties section of the wizard.

  5. Configure the Tenant Properties settings as explained in Table 3, and click Next.

    You are taken to the Summary section of the wizard, where a summary of the settings that you configured is listed.

  6. Review the configuration in the Summary section and, if needed, modify the settings.Note

    You can download the tenant settings that you configured as a JavaScript Object Notation (JSON) file by clicking the Download as JSON link at the bottom of the Summary section.

  7. Click Finish.

    You are returned to the Tenants page, and CSO triggers a job to add the tenant and displays a confirmation message. Click the link in the message to view the details of the job. Alternatively, you can check the status of the job on the Jobs (Resources > Jobs) page.

    After the job finishes successfully, the tenant that you added is displayed on the Tenants page.

    If an SMTP server is configured. an e-mail is sent to the tenant, which includes a URL to access Customer Portal. The URL is active for only 24 hours and is valid only for the first login.

Table 1: General Settings (Add Tenant)



Basic Information


Enter a unique name for the tenant. The name can contain alphanumeric characters, underscores, and hyphens, and must be less than 15 characters long.

For example, Ent_Tenant.

Admin User

You must add an administrator user that can perform the administration tasks for that tenant.

First Name

Enter the first name of the administrator user.

Last Name

Enter the last name of the administrator user.

Username (Email)

Enter the e-mail address of the administrator user. The e-mail address will be the username that the administrator user will use to log in to the CSO portal.

After the tenant is added successfully, CSO sends an e-mail containing the link to the CSO portal and a link to set the password.


Select one or more roles (both predefined and custom roles) that you want to assign to the tenant user, and click the right arrow (>) to move the selected role or roles from the Available column to the Selected column.

Password Policy

Specify the duration (in days) after which the password will expire and must be changed.

Range: 1 through 365.

Default: 180.

Table 2: Deployment Info Settings (Add Tenant)





Services for Tenant

Select the services that you want to be available for the tenant. The types of services that you select for the tenant determine the types of sites that a tenant can add. For example, if you select SD-WAN, a tenant can add only SD-WAN sites.

For this use case, select SD-WAN.

Service Level

Note: This field appears only if you selected the SD-WAN in the Services for Tenant field.

Choose an SD-WAN service type for the tenant. The following options are available:

  • Essentials—Provides the basic SD-WAN service (called Secure SD-WAN Essentials). This service is ideal for small enterprises looking for managing simple WAN connectivity with comprehensive NGFW security services at the branch sites, using link-based application steering. A tenant with the Essentials service level can create sites only with the Secure SD-WAN Essentials service. You can upgrade the SD-WAN service level of a tenant from Essentials to Advanced seamlessly (without downtime) by editing the tenant parameters, provided that you have purchased the corresponding license. See Edit Tenant Parameters. This service does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, pool based source NAT rules, IPv6, MAP-E, or underlay BGP.

  • Advanced—Provides the complete SD-WAN service (called Secure SD-WAN Advanced). This service is ideal for enterprises with one or more data centers, requiring flexible topologies and dynamic application steering. You can establish site-to-site connectivity can be established by using a hub in a hub-and-spoke topology or through static or dynamic full mesh VPN tunnels.

Table 3: Tenant Properties Settings (Add Tenant)



Note: In this guide, we discuss only the network segmentation setting. Use the defaults for the rest of the tenant properties.

For information about other tenant properties, see the Adding a Single Tenant topic in the Administration Portal User Guide (available on the CSO Documentation page).

Network Segmentation

In CSO, network segmentation, which is enabled by default, enables you to isolate the traffic of one department from another. We’ll use the default setting for this use case.


  • After the tenant is added, you cannot change this setting.

  • If you disable network segmentation, then the LAN segments (across different sites in a tenant) cannot have overlapping subnets.


After the tenant is added successfully, you must change the scope to that tenant, or log in to Customer Portal and start adding sites for the tenant.