View and Edit Tenant Settings

Users with a tenant administrator role can view and modify the tenant settings that are configured on the Administration Portal, while users with tenant operator role can only view the tenant settings.

Note:

You cannot add or remove services (configured in Administration Portal) for the tenant.

To modify the settings configured for a tenant:

If the Welcome to CSO Release-Number page is displayed after you log in, click Review Settings. Alternatively, select Administration > Tenant Settings.

The Tenant Settings page appears.
(Optional) Click the Expand icon or the Collapse icon on the top-right corner of the page to expand or collapse the different sections displayed.
Modify the tenant settings as explained in Table 1.
Click Save to save the changes.

A tenant edit job is triggered and a confirmation message, indicating that a tenant edit job is created successfully, appears on the Tenant Settings page.
(Optional) You can click the job name in the message to view details of the job (including job status, start date and time, and end date and time) on the Update tenant settings Details page. Alternatively, you can view the status of the job on the Jobs (Monitor > Jobs) page.

If the job is completed successfully, a confirmation message appears on top of the Tenant Settings page.

Table 1: Fields on the Tenant Settings Page
Field	Description	Tenant Capabilities (Services)
Services	Displays the services supported for the tenant You cannot modify this setting.	SD-WAN (Advanced or Essential) Security Services (Next Gen Firewall)
Password Policy		SD-WAN Next Gen Firewall
Password Expiration Days	Specify the duration (in days) after which the password expires and must be changed. Range: 1 through 365. Default: 180 days. Note: The modifications are applicable to new and existing users.	SD-WAN Next Gen Firewall
Email Notifications	By default, e-mail notifications are disabled for all users. SP, OpCo, and tenant administrators can enable or disable these notifications. Tenant administrators can override the settings configured by the SP or OpCo administrator. For example, if the OpCo administrator enables Login Notifications, then all users of the existing and new tenants are automatically configured to receive login notifications. However, a tenant can choose to disable the login notifications for its users.	SD-WAN Next Gen Firewall
Login Notification	Click this toggle button if you want to enable or disable notifications when users log in to CSO.	SD-WAN Next Gen Firewall
User Addition Notification	Click this toggle button if you want to enable or disable notifications when users are added to a scope (service provider, tenant, and OpCo).	SD-WAN Next Gen Firewall
User Removal Notification	Click this toggle button if you want to enable or disable notifications when users are removed from a scope (service provider, tenant, and OpCo).	SD-WAN Next Gen Firewall
SSL Settings	Note: You can modify this setting only if you have not added any SD-WAN sites for the tenant.	SD-WAN
Default SSL Proxy Profile	Click the toggle button to enable or disable a default SSL proxy profile for the tenant. If you enable this option, the following items are created: A default root certificate with the certificate content specified (in the Root Certificate field) A default SSL proxy profile A default SSL proxy profile intent that references the default profile Note: You use this option to create a tenant-wide default profile; enabling or disabling this option does not mean that SSL is enabled or disabled. If you enable this option, you must add a root certificate.	SD-WAN
Root Certificate	Note: This field is displayed only if you enabled the default SSL proxy profile. You can add a root certificate (X.509 ASCII format) by importing the certificate content from a file or by pasting the certificate content: To import the certificate content directly from a file: Click Browse. The File Upload dialog box appears. Select a file and click Open. The content of the certificate file is displayed in the Root Certificate field. Copy the certificate content from a file and paste it in the text box. After the tenant is successfully added, a default root certificate, a default SSL proxy profile, and a default SSL proxy profile intent are created. Note: The root certificate must contain both the certificate content and the private key. For full-fledged certificate operations, such as certificates that need a passphrase, or that have RSA private keys, you must use the Certificates page (Administration > Certificates) to import the certificates and install on one or more sites.	SD-WAN
VPN Authentication		SD-WAN
Authentication Type	Note: If PKI Certificate was configured as the authentication type, you can modify the PKI properties (CA Server URL, Password, CRL Server, and Auto Renew) even after you add sites for the tenant. If Preshared Key was configured as the authentication type, then you can modify the authentication type only if you have not added SD-WAN sites for the tenant. Select the VPN authentication method to establish a secure IPsec tunnel: Preshared Key, which means that CSO establishes IPsec tunnels using keys. PKI Certificate, which means that CSO establishes IPsec tunnels using public key infrastructure (PKI) certificates. If you select this option, you can configure the following: CA Server URL—Specify the Certificate Authority (CA) Server URL. For example, http://`CA-Server-IP-Address`/certsrv/mscep/mscep.dll/pkiclient.exe. Password—Specify the password for the CA server. This field is optional. CRL Server URL—Specify the certificate revocation list (CRL) server URL. For example, http://`Revocation-List-Server-IP-Address`/certservices/abc.crl. CSO retrieves the list of revoked certificates from the CRL server. Auto Renew CA Certificates—Click the toggle button to enable or disable automatic renewal of certificates. If you enable this option, certificates are automatically renewed for all sites in the tenant. If you disable this option, certificates must be manually renewed. Note: If the certificate expires before the renewal, CSO might not be able to reach the device. Renew before expiry—If you enabled automatic renewal, select the period (3 days, 1 week, 2 weeks, or 1 month) before the expiration date when the certificates get automatically renewed. Note: You can also change the duration in the VPN Authentication page in Customer Portal (Administration > Certificate Management > VPN Authentication) page. Starting from the release 6.3.0, CSO supports customization of public key infrastructure (PKI) certificate attributes at the tenant level. You can configure these attributes as custom properties in the Tenant-Specific Attributes field.	SD-WAN
Overlay Tunnel Encryption	Note: You can modify this setting only if you have not added any SD-WAN sites for the tenant.	SD-WAN
Encryption Type	For security reasons, all data that passes through the VPN tunnel must be encrypted. Select the encryption type: 3DES-CBC—Triple Data Encryption Standard with Cipher-Block Chaining (CBC) algorithm. AES-128-CBC—128-bit Advanced Encryption Standard with CBC algorithm. AES-128-GCM—128-bit Advanced Encryption Standard with Galois/Counter Mode (GCM) algorithm. AES-256-CBC— 256-bit Advanced Encryption Standard with CBC algorithm. AES-256-GCM—256-bit Advanced Encryption Standard with GCM algorithm. The default encryption type is AES-256-GCM.	SD-WAN
Network Segmentation	Note: You can modify this setting only if you have not added any SD-WAN sites for the tenant.	SD-WAN
Network Segmentation	Click the toggle button to disable network segmentation on the tenant.	SD-WAN
Dynamic Mesh	Note: You can modify these settings even after you add sites for the tenant. Sites with SD-WAN Essentials service do not support creation or deletion of dynamic mesh tunnels based on a user-defined threshold for the number of sessions closed between two branch sites.	SD-WAN
Threshold for Creating a Tunnel	Not applicable to sites with SD-WAN Essentials service.	SD-WAN
Number of Sessions	Specify the maximum number of sessions closed (for a time duration of 2 minutes) between two branch sites. The dynamic mesh tunnel is created between two branch sites if the number of sessions closed (for a time duration of 2 minutes) is greater than or equal to the value that you specified. The default threshold value (the number of sessions for 2 minutes) is 5.	SD-WAN
Threshold for Deleting a Tunnel	Not applicable to sites with SD-WAN Essentials service.	SD-WAN
Number of Sessions	Specify the minimum number of sessions closed (for a time duration of 15 minutes) between two branch sites. The dynamic mesh tunnel is deleted between two branch sites if the number of sessions closed (for a time duration of 15 minutes) is lesser than or equal to the value that you specified. The default threshold value (the number of sessions for 15 minutes) is 2.	SD-WAN
Max Dynamic Mesh Tunnels		SD-WAN
Max tunnels per CSO	Displays the maximum number of dynamic mesh tunnels that can be created in CSO. The total number of dynamic mesh tunnels that can be created by all tenants in CSO is limited to 125000. You cannot modify this field.	SD-WAN
Max tunnels per tenant	Specify the maximum number of dynamic mesh tunnels that the tenant can create. Range: 1 through 50,000.	SD-WAN
Dynamic Mesh	Click the toggle button to disable or enable dynamic meshing between sites in the tenant.	SD-WAN
Cloud Breakout Settings	Note: You can modify these settings even after you add sites for the tenant.	SD-WAN
Customer Domain Name	Enter the domain name of the tenant. The domain name is used in cloud breakout profiles to generate the fully qualified domain name (FQDN). The cloud security providers use the FQDN to identify the IPsec tunnels.	SD-WAN
Advanced Settings (Optional)		SD-WAN Next Gen Firewall
Primary/Secondary Hub Affinity	By default, hub affinity is enabled. Enable the toggle button to configure the CPEs to prefer the user-selected primary and secondary hubs over other paths for the SD-WAN overlay traffic. Disable the toggle button to configure the CPEs to prefer the shortest routes over the user-selected primary and secondary hubs for the SD-WAN overlay traffic. For more details, see Understanding Specific Route-based Routing Within the SD-WAN Overlay.	SD-WAN Next Gen Firewall
Tenant-Owned Public IP Pool	You can modify (add, edit or delete) the public IPv4 subnets that are part of the tenant’s pool of public IPv4 addresses. The tenant IP pool addresses are assumed to be public IP addresses and represent public LAN subnets in SD-WAN branch sites. To add an IPv4 subnet: Click the add (+) icon. An editable row appears inline in the table. In the Addresses field, enter a valid, public IPv4 prefix. Note: Ensure that the IP addresses configured for a tenant are unique. Click √ (check mark) to save your changes. The prefix that you entered is displayed in the table. You can enter more IPv4 subnets by following the preceding procedure. To modify a subnet that you entered, select the subnet and click the edit (pencil) icon. To delete a subnet, select the subnet and click the delete icon. If you update the IP address pool of a tenant, CSO runs a job to automatically update and reprovision the tenant sites.	SD-WAN Next Gen Firewall
Tenant-Specific Attributes	Note: You can modify these settings even after you add sites for a tenant. If you have set up a third-party provider edge (PE) device by using software other than CSO, then configure settings on that router by specifying custom parameters and its corresponding values. You can modify existing attributes or add attributes. To add an attribute: Click the add (+) icon. An editable row appears inline in the table. Specify any information about the site that you want to pass to a third-party router; for example, location. Specify a value for the information about the site that you want to pass to a third-party device; for example, Chicago. Click √ (check mark) to save your changes. The prefix that you entered is displayed in the table. To modify an attribute, select a row, click the edit (pencil) icon, and modify the name and value. To delete an attribute, select a row, click the delete icon, and then click Yes on the Confirm Delete window. Starting in Release 6.3.0, CSO supports customization of the public key infrastructure (PKI) certificate attributes. For more details, refer to Table 2.	SD-WAN Next Gen Firewall

CSO supports the tenant-specific attributes listed in Table 2. Enter a Role Name and a Value to customize a parameter or enable a feature.

Table 2: Tenant-Specific Attributes
Role Name	Value	Description
PKI Certificate Attributes
PKI_O	{{TENANT_NAME}} Default value. Modify it if required.	Customizes the organization name in the PKI certificate.
PKI_OU	{{EMPTY}} Default value. Modify it if required.	Customizes the organization unit name in the PKI certificate.
PKI_OU1	{{EMPTY}} Default value. Modify it if required.	Customizes the organization unit 1 name in the PKI certificate.
PKI_OU2	{{EMPTY}} Default value. Modify it if required.	Customizes the organization unit 2 name in the PKI certificate.
PKI_C	US Default value. Modify it if required.	Customizes the country name in the PKI certificate.
PKI_ST	{{EMPTY}} Default value. Modify it if required.	Customizes the state name in the PKI certificate.
PKI_L	{{EMPTY}} Default value. Modify it if required.	Customizes the locality name in the PKI certificate.

In the Value field for PKI certificate attributes, you can either specify a value directly (for example, US), or use a place holder in double curly braces (for example, {{TENANT_NAME}}). CSO supports the following values in double curly braces:

{{TENANT_NAME}} - On certificate generation, CSO replaces this value with the actual tenant name.
{{SITE_NAME}} - On certificate generation, CSO replaces this value with the actual site name.
{{EMPTY}} - On certificate generation, CSO does not list any value against this role name.

If you configure a custom property for the PKI certificate, ensure that the certificate is renewed (from Administration > Certificate Management > VPN Authentication page) for the values to reflect on the device.

View and Edit Tenant Settings

Related Documentation