Configure SASE Tenants

MSP Tenant Overview

You can configure a tenant to be a managed service provider (MSP) tenant. When you enable MSP on a tenant, the SASE service is automatically assigned to the tenant. An MSP tenant does not own any SASE gateways itself, but it can have subtenants that have access to the gateways that are owned by the MSP tenant's parent tenant.

The following figure illustrates the hierarchy of an MSP tenant. Here, the tenant named MSP-tenant is an MSP tenant that does not own any gateways, but its parent, ACME, does own gateways. The subtenants of MSP-tenant are MSP-tenant-child1 and MSP-tenant-child2, and they have access to the gateways owned by ACME.

When you create an MSP tenant, you configure it to have one of the following gateway types:

• Shared—The MSP tenant does not own any of the gateways. This tenant is onboarded onto Director and Controller nodes, but it is not provisioned on the gateways. Any non-MSP subtenant inherits gateways from the parent tenant of an MSP tenant, that is, from the ancestor tenant that has gateways. For example, if an MSP tenant called MSP-tenant is the child of the tenant called ACME, any subtenant of MSP-tenant can access all gateways available on the ACME tenant. MSP-tenant provides its subtenants with access to ACME's gateways, even though MSP-tenant does not own any gateways itself.
• Dedicated—The MSP tenant owns the gateways. After the tenant is created from Concerto or directly from the Director organization workflow, SSE gateways are created directly on Versa Director with the MSP tenant as the provider organization. Concerto then does the following to discover the dedicated gateways from the Director nodes:
  • Discover the Director nodes—Discover the MSP tenants that were onboarded directly to Versa Director. If an MSP tenant was created in Concerto, this operation does not apply.
  • Use the appliance discovery process to discover tho gateways owned by the MSP tenant on the Director nodes.

For MSP tenants using the dedicated gateway type, its subtenants have access only to the MSP-owned gateways retrieved from the Director node. For information about discovering appliances, see Discover VOS Devices for a Published Tenant.

You can configure an MSP tenant only for SASE tenants, not for SD-WAN tenants. However, for tenants that use both SASE and SD-WAN services, you can configure an MSP tenant as part of the SASE service configuration. For information about configuring the SD-WAN service on a tenant, see Configure a Secure SD-WAN Tenant.

You can configure multiple Versa cloud gateways per SASE tenant. Also, within each Versa cloud gateway on a given SASE gateway, you can now configure more than one IP address pool. The multiple Versa cloud gateways are isolated from other available Versa cloud gateways on the tenant (unless you explicitly configure them to connect to the other Versa cloud gateways). As a result, you can configure overlapping IP addresses in the Versa cloud gateways.

You can configure logging services for SASE tenants that subscribe to the Versa SASE fabric service. You can configure the following types of logs:

• CGNAT logs
• DNS logs
• Firewall logs
• Web logs (HTTP/HTTPS)

Create a SASE Tenant

1. Go to the Tenants dashboard screen.
   
   
    
2. Click +Tenant. The Create Tenant workflow displays. In step 1, General, enter information for the following fields.
   
   Note: Initially, the Create Tenant screen shows three workflow tabs: General, Roles (Tenant Active Roles), and Review & Submit. Once you select Security Service Edge (SSE) under Select Services in the Create Tenant screen, the Security Service Edge step is added to the workflow.
   
   
    

   Field	Description
   Tenant Name	Enter a name for the tenant.
   Enabled	Click the slider to enable the new tenant after you create it.
   Global Tenant ID	The tenant is assigned a global ID automatically. However, you can enter a different global tenant ID.
   Parent Tenant	Select a parent tenant.  Note: For Releases 12.2.2 and later, tenants can inherit configurations from the parent that you select.
   Managed Service Provider (MSP) (Group of Fields)	Click the slider to enable MSP mode for the tenant. In this mode, the SSE service is selected automatically, and you cannot deselect it. Note that if a tenant has already been deployed as a non-MSP tenant, you cannot change the tenant to an MSP tenant and then redeploy it. Also note that you can also select the Secure SD-WAN service for the MSP tenant. For more information, see Configure a Secure SD-WAN Tenant.
   Gateway Type	If you enable MSP mode, select the gateway type: Dedicated—Create an MSP tenant that owns its gateways. Shared—Create an MSP tenant that does not own any of the gateways. Note that you can change the gateway type to Dedicated later. This is the default.
   Select Services	Select SASE as a Service (Security Service Edge). Selecting Security Service Edge adds the following steps to the workflow: For Releases 12.2.2 and later, Security Service Edge is two steps: Product & Gateways (step 2) and Inherit Configuration (step 14). For Releases 12.2.1 and earlier, Security Service Edge is one step (step 2). Note: If you enable MSP mode, the Security Service Edge (SSE) workflow steps are automatically bypassed (and do not appear in the workflow). After you enable MSP mode, you cannot deselect it. (For Releases 12.1.1 and later) SASE for SIM—Click to enable SASE for SIM for the client. This option is enabled only if you select Security Service Edge (SSE). For more information, see Configure SASE for SIM.
   Directors	Select one or more Director nodes to associate with tenant. Then click the slider to designate a Director as the default Director. The default Director node authenticates all Administrator users, whether the users are local or internal to the Director node.
   Controllers	Select one or more Controller nodes to associate with the tenant.
   ZTP Type	Select the type of ZTP to use: Serial Number URL—For on-premises SD-WAN devices
   SD-WAN Solution Tiers	Select one or more SD-WAN solution solution tiers. (For Releases 12.2.2 and later.) The options are: Essential SD-WAN Professional SD-WAN Elite SD-WAN
   NGFW Solution Tiers	Select one or more NGFW solution tiers. The options are: (For Releases 12.2.2 and later.) Essential NGFW Professional NGFW Elite NGFW
   Appliance Preferred Version	Select the VOS software version for the tenant to use.

3. Click Next. In step 2, Security Service Edge (Product & Gateways), there are three sections under Security Service Edge Inherit Configuration:
   • Select Usage Type
   • Select Tenant Product
   • Select Region
4. In the Select Usage Type section, select and configure the usage type. Enter information for the following fields.
   
   
    

   Field	Description
   Enterprise Names	The tenant name that you entered in the General tab appears. You can enter additional names in this field. Press Enter after typing in each name.
   Pre-logon Enabled	Click the slider to enable pre-logon for a Versa SASE client. The pre-logon connection method allows a client device to establish a Versa cloud gateway connection to an organization's network. Pre-logon authenticates a user on the client device and then establishes a secure connection to the organization's network.
   Portal Auto Discovery Service (Group of Fields)	Portal Auto Discovery Service allows SASE clients to discover SASE gateways associated with their enterprise. This feature is available for service providers that have an additional Portal Auto Discovery service deployed in the cloud.
   Domains	Set one or more domain for tenant usage.
   Requires Authentication Disabled	Click the slider to disable authentication for a Versa SASE client. The default requires authentication. Use this for development and testing purposes or for non-production tenants.
   Introspection URL	Define an endpoint that allows a resource server or other authorized entities to verify the active state and metadata of an access or refresh token. For example, a sample URL is <application-name>/xxx-yyy-zzz. Use when you want centralized control and better validation of token authenticity.
   Token Type Hint	The token type hint provides a hint to the authorization server about the type of token being revoked. This helps the server quickly identify the token and process the revocation. Options include: Access Token (short-lived lifespan) Refresh Token (long-lived lifespan)
   Scope	Define what the service controls. This allows the auto discovery system to send the client to the correct entry point for the service requested.
   VSA Client Encryption Algorithms (Group of Fields)
   IPsec Transform	Select an IPsec transform encryption algorithm from the list. The options are: esp-aes128-sha1 esp-aes128-ctr-sha1 esp-aes128-gcm esp-aes128-md5 esp-aes128-sha256 esp-aes128-sha384 esp-aes128-sha512 esp-aes256-gcm esp-aes256-md5 esp-aes256-sha1 esp-aes256-sha256 esp-aes256-sha384 esp-aes256-sha512 esp-null-md5
   IPsec Group	Select an IPsec group encryption algorithm from the list. The options are: Diffie-Hellman Group 1—768-bit modulus Diffie-Hellman Group 2—1024-bit modulus Diffie-Hellman Group 5—1536-bit modulus Diffie-Hellman Group 14—2048-bit modulus Diffie-Hellman Group 15—3072-bit modulus Diffie-Hellman Group 16—4096-bit modulus Diffie-Hellman Group 19—256-bit elliptic curve Diffie-Hellman Group 20—384-bit elliptic curve Diffie-Hellman Group 21—521-bit elliptic curve Diffie-Hellman Group 25—192-bit elliptic curve Diffie-Hellman Group 26—224-bit elliptic curve No PFS
   Select Usage Type (Group of Fields)
   Based on the Number of Users	Click to configure the subscription usage type based on the number of users. If you select this option, you enter the number of users in the next step in the workflow when selecting the tenant product.
   Based on Bandwidth	Click to configure the subscription usage type based on the amount of bandwidth used. This is the default.
   Total Bandwidth	If you select the usage type based on bandwidth, select the total amount of subscribed bandwidth to allocate to the tenant. Range: 250 Mbps through 10 Gbps Default: None
   Maximum Site-to-Site Tunnels	Enter the maximum number of site-to-site tunnels allowed across all gateways. Range: 0 through 5000 Default: None

5. Click Next to go to the Select Tenant Product section. If you configured the tenant based on the number of users, the following screen displays. 
      
6. Under Select Product for this Tenant, select the product bundles for the tenant. The product bundles combine the Versa Networks SSE and network-as-a-service solution to provide a secure network-as-a-solution service. 
   1. In the Select Product for this Tenant section, enter information for the following fields.
       

      Field	Description
      Select Product for this Tenant (Group of Fields)
      Versa Secure Internet Access (VSIA)	Click to select the VSIA bundle, then select a specific VSIA bundle: Elite Essential Professional   If you choose the VSIA Professional bundle, you can select one or more of the following optional add-ons: API-Based Data Protection Data Loss Prevention Advanced Threat Protection (Cloud Malware Sandbox with A/V with A/I ML)   If you choose the VSIA Elite bundle, you can select one or more of the following optional add-ons: API-Based Data Protection Advanced Threat Protection (Cloud Malware Sandbox with A/V with A/I ML) User and Entity Behavior Analytics (UEBA) By default, the API-based data protection (API-DP) and advanced threat protection (ATP) essential features are enabled with restricted access for this solution tier. With restricted access, you cannot create more than three API-DP connectors and you cannot add or edit an ATP profile. By default, data loss prevention option is added to the Elite bundle.
      Internet Protection Rules Maximum	Enter the maximum number of internet protection rules that can be configured on the tenant.
      Direct Internet Access from Gateways	Click the slider to enable direct internet access (DIA) from the tenant gateways.
      VSIA Subscription Information (Group of Fields)
      Number of VSIA Users	Enter the total number of VSIA users for the tenant.
      License Start Date	Enter the start date of the VSIA license. To choose the date from the calendar, click the  Calendar icon.
      License End Date	Enter the end date of the VSIA license. To choose the date from the calendar, click the  Calendar icon.
      Versa Secure Private Access (VSPA)	Click to choose the VSPA bundle, and then select a specific VSPA product bundle: Essential Professional
      Private Application Protection Rules Maximum	Enter the maximum number of private application protection rules that can be configured for the tenant.
      VSPA Subscription Information (Group of Fields)
      Number of VSPA Users	Enter the total number of VSPA users for the tenant.
      License Start Date	Enter the start date of the VSPA license. To choose the date from the calendar, click the  Calendar icon.
      License End Date	Enter the end date of the VSPA license. To choose the date from the calendar, click the Calendar icon.
      Digital Experience Monitoring (DEM) Professional Enabled	Click to enable DEM Professional on remote secure access client devices to periodically monitor end-to-end network and application performance of the devices. DEM is disabled by default.
      VSIA and VSPA Bundle Subscription Information (Group of Fields)
      Number of VSIA and VSPA Users	Enter the total number of the tenant's VSIA and VSPA users.
      License Start Date	Enter the start date of the VLIA and VSPA licenses. To choose the date from the calendar, click the Calendar icon.
      License End Date	Enter the end date of the VSIA and VSPA licenses. To choose the date from the calendar, click the Calendar icon.
      Select Logging for this Tenant (Group of Fields)
      Firewall Logs	Click to select to enable firewall logs. Click the down-arrow and then select the type of logging service to enable: Advance Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway. Analytics—Send logs to the Versa Analytics cluster for processing. Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.
      Web Logs	Click to select to enable web logs. Click the down-arrow and then select the type of logging service to enable: Advance Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway. Analytics—Send logs to the Versa Analytics cluster for processing. Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.
      Domain Name System (DNS) Logs	Click to select to enable DNS logs. Click the down-arrow and then select the type of logging service to enable: Advance Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway. Analytics—Send logs to the Versa Analytics cluster for processing. Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.
      Carrier-grade NAT (CGNAT) Logs	Click to select to enable CGNAT logs. Click the down-arrow and then select the type of logging service to enable: Advance Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway. Analytics—Send logs to the Versa Analytics cluster for processing. Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.

7. If you configured the tenant based on bandwidth in Step 4, the following screen displays. Enter information for the following fields.
   
   
    
    

   Field	Description
   Select Product for This Tenant (Group of Fields)	Select the product bundle for the tenant. The API-based data protection, data loss prevention, and advanced threat protection features are enabled with full access for the following solution tiers: Versa Secure Access Fabric—Professional Bundle (with optional add-on features) The API-DP, ATP, and user and entity behavior Analytics (UEBA) features are enabled with full access for the following solution tier: Versa Secure Access Fabric—Elite Bundle (with optional add-on features) (For Releases 12.2.2 and later.) The API-DP and ATP essential features are enabled with restricted access for the following solution tier: Versa Secure Access Fabric—Elite Bundle (without optional add-on features) Note: You must select the optional add-on features available with the professional and elite bundles to enable full access for the add-on features.
   Versa Secure Access Fabric—Essential Bundle	This bundle includes: Versa Secure Internet Access (VSIA) Essential Versa Secure Private Access (VSPA) Essential Premier Secure SD-WAN
   Versa Secure Access Fabric—Essential Plus Bundle	This bundle includes: Versa Secure Internet Access (VSIA) Essential Versa Secure Private Access (VSPA) Professional Premier Secure SD-WAN
   Versa Secure Access Fabric—Professional Bundle	This bundle includes: Versa Secure Internet Access (VSIA) Professional Versa Secure Private Access (VSPA) Professional Premier Secure SD-WAN You can also choose one or more of the following options: API-Based Data Protection Data Loss Prevention Advanced Threat Protection (Cloud Malware Sandbox with Antivirus and Artificial Intelligence/Machine Learning (AI/ML). (For Releases 12.2.2 and later.) If you select this option, Advance Security Cloud displays as Step 3.
   Versa Secure Access Fabric—Elite Bundle	This bundle includes: Versa Secure Internet Access (VSIA) Elite Versa Secure Private Access (VSPA) Professional Premier Secure SD-WAN By default, the API-DP and ATP essential features are enabled with restricted access for this solution tier. With restricted access, you cannot create more than three API-DP connectors and you cannot add or edit an ATP profile. You can also choose one or more of the following options: API-Based Data Protection Advanced Threat Protection (Cloud Malware Sandbox with Antivirus and Artificial Intelligence/Machine Learning (AI/ML). (For Releases 12.2.2 and later.) If you select this option, Advance Security Cloud displays as Step 3. User and Entity Behavior Analytics (UEBA) By default, the data loss prevention option is included in the Elite bundle.
   Internet Protection Rules Maximum	Enter the maximum number of internet protection rules allowed. Default: 500 Range: 1 through 999999
   Private Application Protection Rules Maximum	Enter the maximum number of private application protection rules allowed. Default: 50 Range: 1 through 999999
   Direct Internet Access from Gateways	Click to disable direct internet access (DIA) from gateways. When this option is enabled, the SASE gateway sends all internet-bound traffic using the default route configured on it. In typical deployments, the default route sends traffic towards the enterprise data center over a site-to-site IPsec tunnel. By default, the Versa Secure Internal Access (VSIA) feature, which is included in both bundles, enables DIA for all internet-bound traffic coming from a tenant. This option is available if you configure the tenant based on bandwidth.
   Digital Experience Monitoring (DEM) Professional Disabled	Click to enable DEM Professional on remote secure access client devices to periodically monitor end-to-end network and application performance of the devices. DEM is disabled by default. To enable DEM, click the slider bar:
   Select Logging for this tenant.	Configure the logging to use for the tenant.
   Firewall Logs	Click to select to enable firewall logs. Click the down-arrow and then select the type of logging service to enable: Advance Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway. Analytics—Send logs to the Versa Analytics cluster for processing. Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.
   Web Logs	Click to select web logs. Click the down-arrow and then select the type of logging service to enable: Advanced Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway. Analytics—Send logs to the Versa Analytics cluster for processing. Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.
   Domain Name System (DNS) Logs	Click to select DNS logs. Click the down-arrow and then select the type of logging service to enable: Advanced Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway. Analytics—Send logs to the Versa Analytics cluster for processing. Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.
   Carrier-Grade NAT (CGNAT) Logs	Click to select CGNAT logs. Click the down-arrow and then select the type of logging service to enable: Advanced Logging Service—ALS is a cloud-based service that processes and stores log files. To use ALS, the provider organization configures a LEF profile on the SASE gateway. Analytics—Send logs to the Versa Analytics cluster for processing. Archive—Send logs to the ALS service for archiving only; the logs are not processed. However, you can process the logs offline. To use the archive option, the provider organization configures a LEF profile on the SASE profile. This profile must be different from the LEF profile used for the ALS option.

    

8. (For Releases 12.1.1 and later.) If, in Step 7, you select Versa Secure Access Fabric—Elite Bundle or if you select Versa Secure Access Fabric—Professional Bundle with the Advanced Threat Protection add-on as the tenant product, Step 4, Advance Security Cloud displays. In this screen, you enter the RBI and ATP/DLP cloud instance information for the regions of the tenant that you select in workflow step 2, Security Service Edge. ATP and RBI cloud instance information is shared with the Versa Cloud Gateway (VCG) so that the VCG can connect to the cloud service to initiate sandboxing or RBI. Enter information for the following fields.
    
   
    

   Field	Description
   Regions	Displays the name of the region you selected in the Security Service Edge screen.
   Gateways	Displays the number of gateways associates with a region.
   ATP/DLP Instance	Select the ATP or DLP cloud instance for the tenant to connect to VCG. For more information, see Configure Advanced Threat Protection and Configure Data Loss Prevention in Concerto.
   ATP/DLP Authentication Token	Enter the authentication token for the tenant to use to refresh the access tokens when making API requests to the cloud or private sandbox service.
   ATP/DLP Token Expiry Time	Enter how often to refresh access tokens when making API requests to the cloud or private sandbox service, in seconds
   RBI Instance	Select the RBI cloud instance for the tenant to connect to VCG.
   RBI Authentication Token	Enter the authentication token for the tenant to use to refresh the access tokens when making API requests to the cloud for RBI service.
   RBI Token Expiry Time (Days)	Enter how often to refresh access tokens when making RBI requests to the cloud or private sandbox service, in days.

9. Click Next to go to the Select Region section. This screen displays the available regions and how many gateways are currently being used in each region.
10. To display information about the gateways in the region and to assign new gateways to the region, click View Details.
    
    
11. Click in the search box to view the gateways in the region, click the checkbox next to a gateway name, and then click the Add button to add it to the region.
    
    
    
    The gateway is added to the region.
12. To display information about the gateway, including the gateway group, Versa cloud gateway, and client address pool name and IP address, click the down arrow next to the gateway name. For each Versa cloud gateway, you can configure one or more client address pool. For a gateway, you can add multiple client address pools for each Versa cloud gateway. To define which users are assigned to the pools, you use a secure access policy, and you can then apply access restrictions to a pool of users using the same Versa cloud gateway.
13. To configure gateway information, enter information for the following fields. Note that in a single Versa cloud gateway, the client pool address name and client pool addresses must be unique. However, if a gateway has multiple Versa cloud gateways, you can use the same address pool name and address pool range for more than one Versa cloud gateway, because the Versa cloud gateway do not share information. The IP addresses for each pool in a Versa cloud gateway must not overlap both for the selected gateway and across all gateways.
    
    
     

    Field	Description
    Allocated Bandwidth	Enter the maximum amount of bandwidth that a tenant can use on the gateway. This value is considered if Committed Bandwidth is not configured. Range: 0 through 999999 Mbps Default: None
    Committed Bandwidth	(For Releases 12.2.1 and later.) Enter the committed amount of bandwidth that a tenant can use on the gateway. This value is considered for available bandwidth when Allocated Bandwidth and Committed Bandwidth are configured. Range: 0 through 999999 Mbps Default: None
    Configure Dedicated Public IP Pool (Group of Fields)	(For Releases 12.2.2 and later.) Enable to display the number of internet circuits and public IP address pools available for the gateway. When you enable this, you must define the public IP pool using the Start and End fields. Note that the Admin user must add proxy ARP on WAN circuits for the configured IP pools.
    Public IP Pool Range	Define the range of IP addresses in the pool. If you have only one IP address, use the same value for both Start and End fields. Additionally, you can assign dedicated public IP addresses to specific circuits.
    Circuits	Displays the internet circuit name for the gateway.
    Start	Enter or edit the starting IP address in the address range.
    End	Enter or edit the last IP address in the address range.
    Portal	Click the slider to enable the secure access portal service on the gateway.
    Gateway Group	Select a gateway group to which to assign the gateway.
    VPN	Select one or more Versa cloud gateways to assign them to the gateway. The Versa cloud gateway select column shows all Versa cloud gateways that are available for the tenant. Note that if you configure no Versa cloud gateways on a tenant, the SASE service uses a default Versa cloud gateway with the name tenant-name-Enterprise. Also note that because guest Versa cloud gateways should not be extended to SASE gateways, they are not displayed in the Versa cloud gateway selection column. If multiple Versa cloud gateways are available on a tenant and you do not want to provision one of them on a gateway, select Do Not Use in the Versa cloud gateway column. To assign an unused Versa cloud gateway to a gateway later, select it to assign to the gateway.
    Client Address Pool Name	Enter a name for the client address pool. If you configure more than one address pool for the same Versa cloud gateway, the pools must have unique names. However, if multiple Versa cloud gateways are available for the same gateway, you can use the same client address pool name in each Versa cloud gateway.
    Client Address Pool	Enter a valid IP address range to use for the client address pool. The minimum address pool size is a /24 subnet. If you configure more than one address pool for the same Versa cloud gateway, the pools must have unique IP address ranges. However, if multiple Versa cloud gateways are available for the same gateway, you can use the same client IP address range in each Versa cloud gateway.

14. To create a group of gateways that you can then assign to a region, click  Create Gateway Group. You can then assign one or more Versa cloud gateways to the gateway group, as described above. To create a gateway group:
    1. Enter a name for the group.
    2. Click the  Add icon to add gateway groups.
    3. Click Save to create the gateway groups.
       
       
        
15. To select which resources you want to apply (propagate) from the parent tenant to the new tenant, select the checkboxes in the far-left column of the Parent Configurations table. In this example, Real-Time Protection > Internet Protection > simple-config is selected. Other configurations can be propagated, such as TLS Decryption and User-Defined Objects.  
    Note that some configurations cannot be propagated, such as site-to-site tunnels, secure access, and Versa cloud gateway settings. Enterprise-specific configurations, such as certificates or anything requiring file uploads, are also not supported for propagation.
    
    
16. To Click Next to display the Step 3, Roles screen.
    
    
17. Click the checkbox next to Roles to assign all roles to the tenant, or select individual roles to assign to the tenant.
18. Click Next. In Step 4, Review & Submit, review the information you configured.
    
    
19. To change any of the information, click the Edit icon in the section, and then make the changes.
20. Click Publish to create the tenant on the selected gateways. Click Save to save the configuration so that you can publish it later.

Supported Software Information

Releases 11.1.1 and later support all content described in this article, except:

• Release 11.4.1 adds support for the Versa Secure Access Fabric Elite product bundle.
• Release 12.1.1 adds support to enable pre-logon for Versa SASE client and to add RBI and ATP/DLP cloud instance details for tenant regions; allows you to create a tenant with a non-SD-WAN solution tier. 
• Release 12.2.1 adds support for enabling Digital Experience Monitoring (DEM).
• Release 12.2.2 adds support for configuring public IP pools; API-based data protection and advanced threat protection essential features with restricted access for Versa Secure Access Fabric Essential, Essential Plus, and Professional bundle without optional add-on features; support for propagating existing resources from a parent tenant to a new or existing subtenant.

Additional Information

Configure a Secure SD-WAN Tenant
Configure Advanced Threat Protection
Configure Data Loss Prevention in Concerto
Configure SASE Certificates
Configure SASE for SIM
Configure SASE Site-to-Site Tunnels
Configure SASE TLS Decryption
Configure SASE User-Defined Objects
Propagate SSE Configurations to Subtenants 
Configure User and Entity Behavior Analytics (UEBA)