View and Edit Tenant Settings

Services

Displays the services supported for the tenant You cannot modify this setting.

SD-WAN (Advanced or Essential)

Security Services (Next Gen Firewall)

Password Policy

SD-WAN

Next Gen Firewall

Password Expiration Days

Specify the duration (in days) after which the password expires and must be changed.

Range: 1 through 365.

Default: 180 days.

SD-WAN

Next Gen Firewall

SSL Settings

SD-WAN

Default SSL Proxy Profile

Click the toggle button to enable or disable a default SSL proxy profile for the tenant.

If you enable this option, the following items are created:

• A default root certificate with the certificate content specified (in the Root Certificate field)

• A default SSL proxy profile

• A default SSL proxy profile intent that references the default profile

SD-WAN

Root Certificate

You can add a root certificate (X.509 ASCII format) by importing the certificate content from a file or by pasting the certificate content:

• To import the certificate content directly from a file:

  1. Click Browse.

     The File Upload dialog box appears.

  2. Select a file and click Open.

     The content of the certificate file is displayed in the Root Certificate field.

• Copy the certificate content from a file and paste it in the text box.

After the tenant is successfully added, a default root certificate, a default SSL proxy profile, and a default SSL proxy profile intent are created.

SD-WAN

VPN Authentication

SD-WAN

Authentication Type

Select the VPN authentication method to establish a secure IPsec tunnel:

• Preshared Key, which means that CSO establishes IPsec tunnels using keys.

• PKI Certificate, which means that CSO establishes IPsec tunnels using public key infrastructure (PKI) certificates.

  If you select this option, you can configure the following:

  • CA Server URL—Specify the Certificate Authority (CA) Server URL. For example, http://CA-Server-IP-Address/certsrv/mscep/mscep.dll/pkiclient.exe.

  • Password—Specify the password for the CA server. This field is optional.

  • CRL Server URL—Specify the certificate revocation list (CRL) server URL. For example, http://Revocation-List-Server-IP-Address/certservices/abc.crl. CSO retrieves the list of revoked certificates from the CRL server.

  • Auto Renew CA Certificates—Click the toggle button to enable or disable automatic renewal of certificates.

    If you enable this option, certificates are automatically renewed for all sites in the tenant.

    If you disable this option, certificates must be manually renewed.

    Note:

    If the certificate expires before the renewal, CSO might not be able to reach the device.

  • Renew before expiry—If you enabled automatic renewal, select the period (3 days, 1 week, 2 weeks, or 1 month) before the expiration date when the certificates get automatically renewed.

    Note:

    You can also change the duration in the VPN Authentication page in Customer Portal (Administration > Certificate Management > VPN Authentication) page.

SD-WAN

Overlay Tunnel Encryption

SD-WAN

Encryption Type

For security reasons, all data that passes through the VPN tunnel must be encrypted. Select the encryption type:

• 3DES-CBC—Triple Data Encryption Standard with Cipher-Block Chaining (CBC) algorithm.

• AES-128-CBC—128-bit Advanced Encryption Standard with CBC algorithm.

• AES-128-GCM—128-bit Advanced Encryption Standard with Galois/Counter Mode (GCM) algorithm.

• AES-256-CBC— 256-bit Advanced Encryption Standard with CBC algorithm.

• AES-256-GCM—256-bit Advanced Encryption Standard with GCM algorithm.

The default encryption type is AES-256-GCM.

SD-WAN

Network Segmentation

SD-WAN

Network Segmentation

Click the toggle button to disable network segmentation on the tenant.

SD-WAN

Dynamic Mesh

SD-WAN

Threshold for Creating a Tunnel

Not applicable to sites with SD-WAN Essentials service.

SD-WAN

Number of Sessions

Specify the maximum number of sessions closed (for a time duration of 2 minutes) between two branch sites.

The dynamic mesh tunnel is created between two branch sites if the number of sessions closed (for a time duration of 2 minutes) is greater than or equal to the value that you specified.

The default threshold value (the number of sessions for 2 minutes) is 5.

SD-WAN

Threshold for Deleting a Tunnel

Not applicable to sites with SD-WAN Essentials service.

SD-WAN

Number of Sessions

Specify the minimum number of sessions closed (for a time duration of 15 minutes) between two branch sites.

The dynamic mesh tunnel is deleted between two branch sites if the number of sessions closed (for a time duration of 15 minutes) is lesser than or equal to the value that you specified.

The default threshold value (the number of sessions for 15 minutes) is 2.

SD-WAN

Max Dynamic Mesh Tunnels

SD-WAN

Max tunnels per CSO

Displays the maximum number of dynamic mesh tunnels that can be created in CSO. The total number of dynamic mesh tunnels that can be created by all tenants in CSO is limited to 125000.

You cannot modify this field.

SD-WAN

Max tunnels per tenant

Specify the maximum number of dynamic mesh tunnels that the tenant can create.

Range: 1 through 50,000.

SD-WAN

Dynamic Mesh

Click the toggle button to disable or enable dynamic meshing between sites in the tenant.

SD-WAN

Cloud Breakout Settings

SD-WAN

Customer Domain Name

Enter the domain name of the tenant. The domain name is used in cloud breakout profiles to generate the fully qualified domain name (FQDN). The cloud security providers use the FQDN to identify the IPsec tunnels.

SD-WAN

Advanced Settings (Optional)

SD-WAN

Next Gen Firewall

Primary/Secondary Hub Affinity

By default, hub affinity is enabled.

Enable the toggle button to configure the CPEs to prefer the user-selected primary and secondary hubs over other paths for the SD-WAN overlay traffic.

Disable the toggle button to configure the CPEs to prefer the shortest routes over the user-selected primary and secondary hubs for the SD-WAN overlay traffic.

For more details, see Understanding Specific Route-based Routing Within the SD-WAN Overlay.

SD-WAN

Next Gen Firewall

Tenant-Owned Public IP Pool

You can modify (add, edit or delete) the public IPv4 subnets that are part of the tenant’s pool of public IPv4 addresses. The tenant IP pool addresses are assumed to be public IP addresses and represent public LAN subnets in SD-WAN branch sites.

To add an IPv4 subnet:

1. Click the add (+) icon.

   An editable row appears inline in the table.

2. In the Addresses field, enter a valid, public IPv4 prefix.

   Note:

   Ensure that the IP addresses configured for a tenant are unique.

3. Click √ (check mark) to save your changes.

   The prefix that you entered is displayed in the table.

You can enter more IPv4 subnets by following the preceding procedure.

To modify a subnet that you entered, select the subnet and click the edit (pencil) icon.

To delete a subnet, select the subnet and click the delete icon.

If you update the IP address pool of a tenant, CSO runs a job to automatically update and reprovision the tenant sites.

SD-WAN

Next Gen Firewall

Tenant-Specific Attributes

If you have set up a third-party provider edge (PE) device by using software other than CSO, then configure settings on that router by specifying custom parameters and its corresponding values.

You can modify existing attributes or add attributes.

• To add an attribute:

  1. Click the add (+) icon.

     An editable row appears inline in the table.

  2. Specify any information about the site that you want to pass to a third-party router; for example, location.

  3. Specify a value for the information about the site that you want to pass to a third-party device; for example, Chicago.

  4. Click √ (check mark) to save your changes.

     The prefix that you entered is displayed in the table.

• To modify an attribute, select a row, click the edit (pencil) icon, and modify the name and value.

SD-WAN

Next Gen Firewall