Adding a Single Tenant

You can use the Add Tenant page to add tenant data and other objects associated with a tenant, such as tenant user, network details, deployment scenario, service profiles, and custom properties. A single tenant can support one or more of the following services:

Begin by creating all the resources required for the network point of presence (POP).

The information listed on the Tenants page changes depending on the authentication mode configured:

Local Authentication—You can add the administrative user information as the first step from the Tenants page.
Authentication and Authorization with SSO Server—The Admin User information is not displayed on the Tenants page because users are not created in CSO and they are managed in the SAML identity provider. In addition, users are dynamically authorized to the CSO role based on the mapping rules configured in the SAML authentication.
Authentication with SSO Server—When you create the administrative user, the login page does not require you to configure a password because the user is created in the SSO without the password and you can only enter the username.

To add a tenant:

Select Tenants.
The Tenants page appears.
Click the add (+) icon.
The Add Tenant page appears.
Add the tenant information by completing the configuration according to the guidelines provided in Table 1.
Note:
Fields marked with an asterisk (*) are mandatory.
Click OK.
A job to add the tenant is triggered and you are returned to the Tenants page. A confirmation message appears at the top of the page indicating that the job was created. You can click the link in the message to view the details of the job. (Alternatively, you can check the status of the job on the Jobs (Monitor > Jobs) page. After the job completes successfully, the tenant that you added is displayed on the Tenants page.

If the SMTP server is configured, an e-mail is sent to the tenant, which includes a URL to access Customer Portal. The URL is active for only 24 hours and is valid only for the first log in.

Table 1: Fields on the Add Tenant Page
Field	Description
Tenant Info
Name	Enter a name for the tenant. You can use alphanumeric characters and hyphen (-); the maximum length is 32 characters. Example: test-tenant
Admin user
First Name	Enter the first name of the user.
Last Name	Enter the last name of the user.
Username (Email)	Enter the e-mail address of the user. The e-mail address is used as the username for the user for logging in to CSO.
Roles	Select one or more roles (both predefined and custom roles) that you want to assign to the tenant user. Note: In the Available column, all tenant scope roles are listed. Click the right arrow(>) to move the selected role or roles from the Available column to the Selected column. Note that you can use the search icon on the top right of each column to search for role names. To preview the access privileges assigned to a role, click the role name.
Password Policy
Password Expiration Days	Specify the duration (in days) after which the password expires and must be changed. The range is from 1 through 365. The default value is 180 days. Click Next to continue.
Deployment Info
Services for Tenant	Select one or more services for the tenant: SD-WAN—Select this option if you want the tenant to add SD-WAN sites. SD-WAN sites can have up to 4 WAN links, and the tenant can define intent policies to intelligently route different applications through different WAN links. Security Services—Select this option if you want the tenant to add a standalone firewall site for the CPE device. Note: The options listed in Customer Portal > Resources > Site Management > Add are filtered based on the service that you have selected for a tenant. For example, if you have selected only SD-WAN for a tenant, in Customer portal > Resources > Sites Management > Add > Branch Site (Manual), only the SD-WAN capabilities (Secure SD-WAN Essentials or both Secure SD-WAN Essentials and Secure SD-WAN Advanced based on the SD-WAN service level chosen) are listed.
Service Level	Note: This field appears only if you selected the SD-WAN in the Services for Tenant field. Choose an SD-WAN service type for the tenant. The following options are available: Essentials—Provides the basic SD-WAN services (Secure SD-WAN Essentials service). This service is ideal for small enterprises looking for managing simple WAN connectivity with comprehensive NGFW security services at the branch sites, using link-based application steering. The SD-WAN Essentials service allows Internet traffic to breakout locally, and thus avoids the need to backhaul the web traffic over costly VPN or MPLS links. This service does not support multihoming, dynamic mesh tunnels, cloud breakout profiles, SLA-based steering profiles, pool based source NAT rules, IPv6, MAP-E, or underlay BGP. A tenant with the Essentials service level can create sites only with the Secure SD-WAN Essentials service. Note: You can upgrade the SD-WAN service level of a tenant from Essentials to Advanced seamlessly (without downtime) by editing the tenant parameters, provided that you have purchased the corresponding license. See Edit Tenant Parameters. Advanced—Provides the complete SD-WAN services (Secure SD-WAN Advanced service). This service is ideal for enterprises with one or more data centers, requiring flexible topologies and dynamic application steering. You can establish site-to-site connectivity can be established by using a hub in a hub-and-spoke topology or through static or dynamic full mesh VPN tunnels. Enterprise wide intent based SD-WAN policies and service-level agreement (SLA) measurements allow to differentiate and dynamically route traffic for different applications. Click Next to continue.
Tenant Properties
SSL Settings Note: This setting is applicable only to the SD-WAN deployment scenario.
Default SSL Proxy Profile	Click the toggle button to enable a default SSL proxy profile for the tenant. If you enable this option, the following items are created when a tenant is added: A default root certificate with the certificate content specified (in the Root Certificate field) A default SSL proxy profile A default SSL proxy profile intent that references the default profile This option is disabled by default. Note: You use this option to create a tenant-wide default profile; enabling or disabling this option does not mean that SSL is enabled or disabled. If you enable this option, you must add a root certificate.
Root Certificate	You can add a root certificate (X.509 ASCII format) by importing the certificate content from a file or by pasting the certificate content: To import the certificate content directly from a file: Click Browse. The File Upload dialog box appears. Select a file and click Open. The content of the certificate file is displayed in the Root Certificate field. Copy the certificate content from a file and paste it in the text box. After the tenant is successfully added, a default root certificate, a default SSL proxy profile, and a default SSL proxy profile intent are created. Note: The root certificate must contain both the certificate content and the private key. For full-fledged certificate operations, such as certificates that need a passphrase, or that have RSA private keys, you must use the Certificates page (Administration > Certificates) to import the certificates and install on one or more sites.
VPN Authentication Note: This setting is applicable only to the SD-WAN (Advanced or Essential) deployment scenario.
Authentication Type	Select the VPN authentication method to establish a secure IPsec tunnel: Preshared Key—Select this option if you want CSO to establish IPsec tunnels using keys. Note: Preshared Key is the default VPN authentication method. PKI Certificate—Select this option if you want CSO to establish IPsec tunnels using public key infrastructure (PKI) certificates. Specify the following: CA Server URL—Specify the Certificate Authority (CA) Server URL. For example, http://`CA-Server-IP-Address`/certsrv/mscep/mscep.dll/pkiclient.exe. The CA server manages the life cycle of a certificate. The CA server also publishes revoked certificates to the certification revocation list (CRL) server. To obtain trusted CA certificates, CSO communicates with the CA server using the Simple Certificate Enrollment Protocol (SCEP). Password—Specify the password for the CA server. This field is optional. CRL Server URL—Specify the certificate revocation list (CRL) server URL. For example, http://`Revocation-List-Server-IP-Address`/certservices/abc.crl. CSO retrieves the list of revoked certificates from the CRL server. Auto Renew CA Certificates—Click the toggle button to enable automatic renewal of certificates. If you enable the Auto Renew toggle button, certificates are automatically renewed for all sites in the tenant. By default, the Auto Renew toggle button is disabled. If you disable the Auto Renew toggle button, certificates must be manually renewed. Note: If the certificate is expired before the renewal, CSO might not be able to reach the device. Renew before expiry—This field appears only if you enabled the automatic renewal of certificates. Select the period (3 days, 1 week, 2 weeks, or 1 month) before the expiration date when the certificates get automatically renewed. Note: The default value is 2 weeks. You can also change the duration in the VPN Authentication page in Customer Portal (Administration > Certificate Management > VPN Authentication) page.
Overlay Tunnel Encryption Note: This is applicable only to the SD-WAN (Advanced or Essential) deployment scenario.
Encryption Type	For security reasons, all data that passes through the VPN tunnel must be encrypted. Select the encryption type: 3DES-CBC—Triple Data Encryption Standard with Cipher-Block Chaining (CBC) algorithm. AES-128-CBC—128-bit Advanced Encryption Standard with CBC algorithm. AES-128-GCM—128-bit Advanced Encryption Standard with Galois/Counter Mode (GCM) algorithm. AES-256-CBC— 256-bit Advanced Encryption Standard with CBC algorithm. AES-256-GCM—256-bit Advanced Encryption Standard with GCM algorithm. The default encryption type is AES-256-GCM.
Network Segmentation
Network Segmentation	Click the toggle button to enable or disable network segmentation on the tenant. You enable network segmentation: To create layer 3 VPNs per department. Use overlapping IP addresses across departments. Note: CSO applies longest prefix match (LPM), also known as specific route-based routing, to each department in case network segmentation is enabled. LPM is applied to the default VPN in case network segmentation is disabled. See Understanding Specific Route-based Routing Within the SD-WAN Overlay for the details.
Dynamic Mesh This setting is applicable only to Secure SD-WAN Advanced deployment scenarios. Note: Sites with the Secure SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites. However, an OpCo administrator or a tenant administrator can create a static tunnel between a source site and destination site by using the CSO GUI in Customer Portal.
Threshold for Creating a Tunnel Set a threshold value, above which a tunnel is created between two sites.
Number of sessions	Specify the maximum number of sessions closed (for a time duration of 2 minutes) between two branch sites. The dynamic mesh tunnel is created between two branch sites if the number of sessions closed (for a time duration of 2 minutes) is greater than or equal to the value that you specified. The default threshold value (the number of sessions for 2 minutes) is 5. For example, if you specify the number of sessions as 5, dynamic mesh tunnels are created if the number of sessions closed between two branch sites in 2 minutes exceeds 5.
Threshold for Deleting a Tunnel Set a threshold value, below which a tunnel is deleted between two sites.
Number of sessions	Specify the minimum number of sessions closed (for a time duration of 15 minutes) between two branch sites. The dynamic mesh tunnel is deleted between two branch sites if the number of sessions closed (for a time duration of 15 minutes) is lesser than or equal to the value that you specified. The default threshold value (the number of sessions for 15 minutes) is 2. For example, if you specify the number of sessions as 2, the dynamic mesh tunnels are deleted if the number of sessions closed is lesser than or equal to 2.
Max Dynamic Mesh Tunnels
Max tunnels per CSO	Displays the maximum number of dynamic mesh tunnels that can be created in CSO. The total number of dynamic mesh tunnels that can be created by all tenants in CSO is limited to 125000. A major alarm is raised if the number of dynamic mesh tunnels created by all tenants reaches seventy percent of the maximum value. A critical alarm is raised if the number of dynamic mesh tunnels created by all tenants reaches ninety percent of the maximum value. To view alarms, see Monitor > Alerts & Alarms > Alarms in Administration Portal. For more information about alarms, see About the Alarms Page.
Max tunnels per tenant	Specify the maximum number of dynamic mesh tunnels that the tenant can create. Range: 1 through 50,000. A major alarm is raised if the number of dynamic mesh tunnels created by all sites in a tenant reaches seventy percent of the maximum value. A critical alarm is raised if the number of dynamic mesh tunnels created by all sites in a tenant reaches ninety percent of the maximum value. To view alarms, see Monitor > Alerts & Alarms > Alarms in Customer Portal. For more information about alarms, see About the Alarms Page.
Dynamic Mesh	Click the toggle button to disable dynamic meshing between sites in the tenant. Dynamic meshing is enabled by default.
Cloud Breakout Settings Note: This setting is applicable only to Secure SD-WAN Advanced deployment scenarios.
Customer Domain Name	Enter the domain name of the tenant. The domain name is used in cloud breakout profiles to generate the fully qualified domain name (FQDN). The cloud security providers use the FQDN to identify the IPsec tunnels. Example:test.gmail.com
Quality of service settings
Class of Service	Click this toggle button to enable (default) or disable CSO from configuring QoS on the devices of a tenant. This setting is valid only for tenants with SD-WAN services. Enable: CSO configures the class of service (CoS) parameters on an SD-WAN site (branch, cloud spoke, or enterprise hub site) when you deploy the SD-WAN policy for the site. The CoS parameters are derived from the application traffic type profile associated with the path-based steering profile, SLA-based steering profile, or breakout profile, which is referenced in an SD-WAN policy intent. Disable: CSO does not configure CoS parameters for SD-WAN sites, which means that no CoS parameters are applied to SD-WAN traffic. If you want to apply CoS parameters on SD-WAN traffic, you must use configuration templates to configure and deploy CoS parameters on the SD-WAN sites. Therefore, unless you want to apply customized CoS parameters by using configuration templates, we recommend that you leave this setting enabled.
Advanced Settings (Optional)
Primary/Secondary Hub Affinity	By default, hub affinity is enabled. Enable the toggle button to configure the CPEs to prefer the user-selected primary and secondary hubs over other paths for the SD-WAN overlay traffic. Disable the toggle button to configure the CPEs to prefer the shortest routes over the user-selected primary and secondary hubs for the SD-WAN overlay traffic. For more details, see Understanding Specific Route-based Routing Within the SD-WAN Overlay.
Tenant-Owned Public IP Pool	You can add one or more public IPv4 subnets that are part of the tenant’s pool of public IPv4 addresses. The tenant IP pool addresses are assumed to be public IP addresses and represent public LAN subnets in SD-WAN branch sites. To add an IPv4 subnet: Click the add (+) icon. An editable row appears inline in the table. In the Addresses field, enter a valid, public IPv4 prefix. Note: Ensure that the IP addresses configured for a tenant are unique. Click √ (check mark) to save your changes. The prefix that you entered is displayed in the table. You can enter more IPv4 subnets by following the preceding procedure. You can also modify subnets that you entered by selecting a row and clicking the edit (pencil) icon. To delete a subnet, select the subnet and click the delete icon. If you update the IP address pool of a tenant, CSO runs a job to automatically update and reprovision the tenant sites.
Tenant-specific Attributes	If you have set up a third-party provider edge (PE) device by using software other than CSO, then configure settings on that router by specifying custom parameters and its corresponding values.
Name	Specify any information about the site that you want to pass to a third-party router. Example: Location
Value	Specify a value for the information about the site that you want to pass to a third-party device. Example: Boston Click Next to continue.
Summary	You can review the configuration in the Summary tab and modify the settings, if required. You can also download the settings that you configure as a JavaScript Object Notation (JSON) file by clicking the Download as JSON link at the bottom of the page.

Adding a Single Tenant

Related Documentation