Skip to main content
Versa Networks

Configure a Secure SD-Router in Concerto

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Service provider administrators can deploy Secure SD-Routers using Concerto. The Secure SD-Router includes all the features needed for WAN router functionality. When you select the Secure SD-Router service for a tenant, the NextGen Firewall-United Threat Management (NGFW-UTM) service is also selected by default. The NGFW-UTM service provides data to the View lifecycle to determine whether or not any security data in that tenant is shown for all the service provider's end customers. 

The solution tiers available for Secure SD-Router are the NGFW solution tiers:

  • Essential NGFW
  • Professional NGFW
  • Elite NGFW

Other service tiers are not available. When a service provider creates a tenant running the SD-Router service, all routers for all of the service provider tenants are displayed in the dashboard at View > Dashboard > Secure SD-WAN > Overview.

You select the Secure SD-Router service when you publish a new tenant. Tenants already running the Secure SD-WAN or Security Service Edge (SSE) services cannot be changed to run the Secure SD-Router service. In addition, a tenant with the Secure SD-Router service type cannot be the parent of sub-tenants. 

Roles and Permissions

By default, when a service provider publishes a new tenant, the system creates two user roles—Enterprise Administrator and Enterprise Operator. When a service provider publishes a new tenant with the Secure SD-Router service type, the system creates a third user role, called Default SD-Router Operator. The Default SD-Router Operator role has two levels of permissions: feature-level and resource-level.

The feature-level permissions for the Default SD-Router Operator role are:

default-SD-Router-Operator-feature-permissions-border.png

Feature Permission
ConfigurationLifecycleGraph Hide
AnalyticsLifecycleGraph Hide
InventoryLifecycleGraph Hide
ViewLifecycleGraph Read
SystemLifecycleGraph Hide

The resource-level permissions for the Default SD-Router Operator role are:

default-SD-Router-Operator-resource-permissions-border.png

Resource Permission
DeploymentLifecycleGraph Hide
MonitoringLifecycleGraph Read
SystemLifecycleGraph Hide

Service providers need to configure the appropriate permissions for each customer with the Secure SD-Router service type by cloning the Default SD-Router Operator role. See Configure Roles and Permissions below.

Configure an SD-Router in Concerto

  1. Go to the Tenants home screen. 

    Tenant-home-12-2-2-border.png
     
  2. Click + Tenant to go to the Create Tenant workflow. In step 1, General, enter information for the following fields. 

    Create-tenant-new-border.png
     
    Field Description
    Tenant Name Enter a name for the tenant.
    Enabled The tenant is enabled by default. Click the slider bar to disable the tenant after it is created.
    Parent Tenant

    Select a parent tenant.
    Select Services

    Click Secure SD-Router. NGFW-UTM is automatically selected along with Secure SD-Router. The other services are grayed out and cannot be selected.

    Note: If Secure SD-Router is not selected, NGFW-UTM is still available to configure along with the other services (Secure SD-WAN, Security Service Edge (SSE), and SASE for SIM). 
    Host Select one or more Directors to associate with the new tenant. 
    Default If you select more than one Director, click the slider to select one to be the default Director.
    Controllers Select one or more Controllers for the tenant.
    ZTP Type

    Select the type of Zero Touch Provisioning (ZTP) to use when you activate the tenant. 

    • Serial Number (This is the default.)
    • URL

    For more information, see Activate VOS Devices.
    License Year Select a license year.
    NGFW Solution Tiers

    Select one or more NGFW solutions tiers:

    • Elite NGFW
    • Essential NGFW
    • Professional NGFW
    Appliance Preferred Version Select the preferred Versa Operating System™ (VOS™) software version for the device.
  3. Click Next to go to step 2, Roles. 

    Create-tenant-new-Roles-border.png
     
  4. The predefined roles for the customer are selected by default. To accept the default roles, click Next. To change the default roles, select or deselect roles as needed, then click Next. To customize the permissions for a customer role, see Configure Roles and Permissions below.
  5. Click Next to go to step 3, Review & Submit.

    Create-tenant-Review-full-border.png
     
  6. Review your selections. To change any section, click the Edit icon and make the change. 
  7. Click Save to create the new Secure SD-Router tenant.

Configure Roles and Permissions

Service providers need to configure the appropriate permissions for tenant customers with the Secure SD-Router service type. To do this, you clone the Default SD-Router Operator role. 

To configure roles and permissions:

  1. Go to the Tenants home page.

    Tenants-SD-Router-full-border.png
     
  2. Click on the name of the Secure SD-Router to use to clone permissions. The home screen for that tenant displays.

    Users-Roles-left-nav-border.png
     
  3. Select Users in the left navigation panel, then select Roles > Enterprise Operator. The screen displays the configured Enterprise Operator roles.

    Users-Roles-SD-Router-border.png
     
  4. In the box for Default SD-Router Operator, click the vertical dots to display the action menu.

    clone-menu-SD-Router-Operator-border.png
     
  5. Click the clone-icon-black-on-white.png Clone menu item. The following popup window displays.

    clone-SD-Router-Operator-v2-border.png
     
  6. Enter a new name for the role, then click Submit. The system creates a copy of the role with the new name and adds it to the main Roles screen.

    copy-of-Default-SD-Router-role-v3-border.png
     
  7. Click the vertical dots to display the action menu, the click Edit. The Edit Role screen displays.

    Edit-Role-Permissions-border.png
     
  8. Go to the MonitoringLifecycleGraph under Resource Permissions, and click More Permissions.

    Edit-Role-Resource-Permissions-border.png

    The Regions screen displays.

    SD-Router-Operator-resource-permissions-Monitoring-More-Regions-v2-border.png
     
  9. Click More Permissions. The following screen displays the configured regions. 

    SD-Router-Operator-resource-permissions-Monitoring-regions-v3-border.png
     
  10. Select a region. All of the sites belonging to the customer in the region are listed. Select a specific site, change the Permissions as needed, and click Save. In the example above, all sites in the USA-East region are set to Hide except for New York, which is set to Read.
  11. Click Save.
  12. Go back to the Feature Permissions > ViewLifecycleGraph, to verify that the permissions have been updated.

View Secure SD-Router

When a user with an Enterprise Operator role logs in to a Secure SD-Router tenant, the permissions for the role determine the information that displays. For example, if a user named Branch1-Operator with the role Branch1_Enterprise Operator logs in to the branch, a screen similar to the following displays only the specific devices in the customer's branch.

view-Branch-role-border.png

For more information, see View Concerto SD-Router Dashboards.

Software Release Information

Releases 12.2.2 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Concerto
  2. Tags
    1. VERBO_CONCERTO:12.2.1:Configure an SD-Router:[Concerto]/app/tenant/configuration