Configure Profiles

Last updated
Save as PDF

For supported software information, click here.

You use the Configure lifecycle to create all configuration objects for Secure SD-WAN deployments. The Concerto configuration objects are hierarchical and consist of master profiles, subprofiles, policies, and rules. A master profile contains one or more subprofiles, a subprofile contains one or more policies, and a policy contains one or more rules. For more information, see Configuration Hierarchies.

To access the Configure lifecycle screen, select Configure in the left menu bar on the Concerto tenant's home screen. Then select Secure SD-WAN > Profiles.

The following figure shows a Configure lifecycle screen that displays the basic master profile (Default-Basic-MP), the default active-active HA profile (Default-Active-Active), and the basic subtenant master profile (Default-Basic-MP-Sub-Tenant, for Releases 11.2.1 and later).

Profile Types

The Concerto orchestrator has two types of profiles: master profiles and subprofiles.

Master profiles are configuration templates that you can apply to one or more appliances. Each master profile consists of subprofiles. There are two types of master profiles:

Basic—Includes a subset of the available configuration objects. You can build most configuration objects in the basic master profile in the same way that you build them in standard master profiles. For Releases 11.2.1 and later, the subtenant basic master profile allows you to configure security and application services. The basic master profile provides a simple user experience and eliminates the subprofiles hierarchy. Instead of creating subprofiles, you create policies and rules and then attach them directly to the basic master profile. For Releases 11.2.1 and later, a master profile can be for a single tenant or for multiple tenants.
Standard—Includes all available configuration objects and provides more configuration options.

The following types of subprofiles are available:

Application—Use to create QoS and traffic-steering policies.
Device—Use to create BGP peer, interface, and radio policies.
Network Services—Use to create CGNAT, DHCP, and WLAN policies.
Security—Use to create access control, antivirus, IP-filtering, IPS, and URL-filtering policies
Topology—Use to create VPN policies, including branch and hub policies.

Default Master Profiles

When you install the Concerto software or create a new tenant, Concerto automatically builds three default basic master profiles for the tenant:

Default-Basic-MP
Default-Active-Active
Default-Basic-MP-Sub-Tenant (for Releases 11.2.1 and later)

The default master profiles consist of preconfigured network, security, and application objects, as shown below. The default basic subtenent master profile consists of only application and security objects. Concerto creates these basic master profiles automatically for each tenant on Concerto. You can customize the Default-Basic-MP master profile and use it for single-appliance or multitenant site deployments. You can customize the Default-Active-Active master profile and use it for active–active appliance HA site and multitenant deployments.

When you click the Ellipses icon for a basic master profile or standard master profile, a popup window displays the following options:

Edit—Click to configure a new version of the the basic master profile. Each version is assigned a new version number, and the original default master profile remains.
Clone—Click to create a new master profile based on the basic master profile. After you make changes to the configuration objects, save it with a unique name.
References—Click to view all the appliances using this master profile.
Propagate—Click to view all the appliances using previous versions of this master profile, and select all appliances or a subset of them to which to apply this master profile version.
Delete—Click to delete the master profile.

For HA, a default active–active HA basic master profile is provided. You can build active-active HA profiles directly in the default active–active HA basic master profile. The following figure below shows the network diagram for the default active–active HA master profile.

Note: Before using the built-in default basic master profiles, do the following:

Set the connection names on each WAN interface under the Connection tab
Set the Direct Internet Access connection names under VPN Instances under the Others tab.

If you do not set the connection names used on the appliances in the master profile, when you try to publish the master profile to an appliance, the publish process fails. For more information, see Make Mandatory Updates to the Default Basic Master Profile.

default-active-active-HA-screen-cross-connect-11-1-highlight-border.png

To create an active–active HA deployment, you create a single profile and use it on both the primary and secondary HA appliances. All configuration changes and bind-variable values assignments are made on the primary appliance, even if they are meant for the secondary appliance. After you create the configuration for the primary appliance, Concerto uses that configuration to build the configuration for the secondary appliance in the HA pair. After you configure both HA appliances, you publish each of the appliances separately to create the HA deployment.

The cross-connect interface shown in the figure above is optional. If the WAN interfaces on both the primary and secondary appliances are the same, that is, if the circuits are the same in each WAN interface, you do not need to add the cross-connect interface. If you do need the cross-connect, you configure it in the same way as any other interface type.

You can also convert any non-HA master profile to active–active mode by simply adding a redundant WAN interface to it. Redundant WAN interfaces are attached to the secondary appliance.

For Releases 11.2.1 and later, Concerto provides a default subtenant basic master profile at the subtenant level. You use a subtenant standard master profile to configure security and application services for a subtenant. The subtenant basic master profile does not support other services.

Make Mandatory Updates to the Default Basic Master Profile

When you create a new tenant in the Concerto orchestrator, several built-in configuration objects are created, and they are packaged with the Concerto software. One of the built-in objects is the default basic master profile, which is named Default-Basic-MP.v1. You must update this profile before using it on an appliance. You can also clone this basic master profile and modify it before applying it to an appliance.

In the Default-Basic-MP.v1 object, the following interfaces are preconfigured:

Three WAN interfaces
- Two wired interfaces, named Private and Internet
- One LTE interface
Three LAN interfaces
- One wired LAN interface
- One enterprise WiFi interface
- One guest WiFi interface

The following figure shows the default WAN and LAN interfaces in the default basic master profile. The Type field shows that the master profile is a basic master profile.

Before you use the default basic master profile on an appliance, you must disable the interfaces that are not required and then associate them with one of the WAN connections (the WAN networks defined on the Director node). You must also set the direct internet access connection names under VPN Instances.

To make the mandatory updates to the default basic master profile:

In Tenant view, select the Configure lifecycle in the left menu bar.
Select Profiles > Master Profiles.
Select the Default-Basic-MP profile in the main pane. The Edit Master Profile screen displays.
Select the Profile tab. The Network subtab displays, showing a diagram of the network.
Click the WAN box in the network diagram. The WAN screen displays the three WAN interfaces. Because these interfaces are specific to each deployment, the default basic master profile is not preconfigured with connection names for the WAN interfaces.
Click an interface name. The Edit Interface screen displays.
Click the Connection tab, and then select a connection in the Connection Name field. The following screenshot shows that the Internet-1 connection is selected.
Repeat Step 7 for the other two WAN interfaces.
To set the direct internet access connection names, click the Others tab in the Edit Master Profile screen.
Click the VPN instances box. The VPN Instances screen displays.
Click a VPN instance. The Edit VPN Instance screen displays.
Click VPN, and then under Paths, select Direct Internet.
Under Circuit, select a connection name, and then under Priority, select a priority for the direct internet access (DIA) connection.
Click the Permissions tab, and then click Save. A message displays at the top of the Configuration screen confirming that the basic master profile has been updated successfully.

Make Optional Updates to the Default Basic Master Profile

Based on your site configuration requirements, you may need to create a new basic master profile. To do this, you clone the Default-Basic-MP.v1 master profile and then update it as needed. The following are some of the common changes you can make to the master profile:

Configure a multitenant master profile.
Disable the LTE interface.
Enable or disable DIA.
Update the authentication protocol for the WiFi interface.
Add traffic steering, QoS, and security rules.
Update or add services.

Configure a Multitenant Basic Master Profile

For Releases 11.2.1 and later.

You can edit a default active–active master profile or default basic master profile to allow multitenancy. With a multitenant basic master profile, you can create multitenant appliances for a provider organization. You can create new subtenants, and you can attach existing subtenants while publishing the provider organization appliance that uses the multitenant master profile. Appliances are automatically created in the subtenants associated with a provider appliance that uses a multitenant master profile.

In a multitenant basic master profile, you create interfaces for subtenants in the provider tenant profile. Because interfaces, networks, and routing instances are common appliance resources, configuring them at the provider tenant level avoids overlapping of the configuration among tenants. For example, multiple tenants can use vni-0/0.1 independently on the same appliance. Having shared resources such as interfaces helps to avoid such misconfiguration and simplify the implementation. You configure interfaces and routing on a multitenant appliance at the provider tenant level. The provider user can mark each interface for the subtenant to which it belongs. The remainder of the service configuration, such as security, traffic steering, and application QoS, can be performed at the subtenant level by subtenant or provider tenant users.

To configure a multitenant basic master profile:

Configure the scope of the default active–active (Default-Active-Active) or default basic master profile (Default-Basic-MP) to multitenant.
1. Click the basic master profile.
2. In Edit Master Profile > General, select Multitenant in the Scope field.
Configure subtenant LAN interfaces for subtenants that are associated with the provider organization. By default, the master profile contains a LAN interface. Note that you can create subtenant LAN interfaces only for basic master profiles of type Multitenant.
1. Select Edit Master Profile > Profile. The Network subtab displays, showing a diagram of the network.
2. Click LAN.
3. In the LAN screen, click Add Interfaces > Create New. The LAN screen displays the default enterprise LAN interface.
4. In Create Interface screen > General tab, enter a name for the subtenant LAN interface.
5. In the Category field, select Subtenant-LAN.
6. Select the location.
7. In the Subtenant field, select the subtenant for which you are creating the subtenant LAN interface.
8. Click Next. The Address and Routing tab displays.
9. Enter the IPv4 address for the LAN interface.
10. In the VPN Name field, select the tenant's VPN. By default, the VPN of the tenant you selected in the General tab is displayed
11. Enter information in the other fields, and the save the subtenant LAN interface. The interface that you add displays under Subtenant LAN. For example:
12. Repeat this step for each subtenant.
Create VPN instances to associate subtenant VPNs with the master profile for the provider organization.
1. In Edit Master Profile > Profile, select the Others tab.
2. Click the VPN Instance field. In the VPN Instances screen, click Add VPN Instance, and then click Create New.
3. In the Create VPN Instance screen, select the General tab.
4. Enter a name for the VPN instance for the tenant.
5. Under VPN, select the tenant for which to create VPN instance.
6. Select the name of the VPN connection. By default, the VPN connection of the tenant displays.
7. Enter information in the other fields.
8. Click Next, and then save the VPN instance. The VPN instance displays in the VPN Instances screen.
9. Repeat this step for all subtenant VPNs.
After you update the master profile, deploy the appliance associated with the master profile. When you publish, Concerto creates a subtenant appliance in each of the subtenants. For more information, see Concerto Deploy Lifecycle Overview.

Edit the Subtenant Basic Master Profile

For Releases 11.2.1 and later.

You can use a subtenant standard master profile to configure security and application services for a provider organization.

To edit a subtenant basic master profile:

Click the basic subtenant master profile, which the GUI displays as Default-Basic-MP-subtenant. You cannot edit the Type and Scope fields.
Click Next. The Profile > Security tab displays.
1. Modify the security policies, if required. For more information, see Update Security Policies and Rules, below.
  - (For Releases 12.1.1 and later.) To modify the security policy, on the Policies tab, click the policy name.
  - (For Releases 11.4.3 and earlier.) To modify the security policy, click the policy name.
2. (For Releases 12.1.1 and later.) Select the Profiles tab, and then modify the security profiles, if required. For more information, see Update Security Policies and Rules, below.
Select the Application tab, and then modify the QoS and traffic-steering policies, if required. For more information, see Configure QoS Policies and Rules and Configure Traffic-Steering Policies and Rules, below.
Make other changes in the Others and Permissions tabs.
Save the subtenant basic master profile.

Disable the LTE Interface

In Edit Master Profile > Profile > Network, click the Ellipses icon in the LTE box, and then select Edit. The Edit Interface screen displays.
Click the Enabled indicator so that it is grayed out. The LTE interface is disabled.

Enable or Disable DIA on a WAN Interface

In Edit Master Profile > Profile > Network, click the interface on which to enable or disable DIA. The Edit Interface screen displays.
In the Connection Name field, configure a name for the interface. Configure the connection name before you change the connection type.
In Edit Master Profile > Profile > Network, click the VPN Only icon for the interface you are changing.
To enable DIA, click the Internet and VPN (Split Tunnel) icon. To disable DIA, click the VPN Only icon.
Select the Permissions tab, and then click Save.

Enable a Speed-Test Server on a WAN Interface

To troubleshoot link speed issues, you can configure a WAN interface to be a speed-test server.

To configure a WAN interface to be a speed-test server:

In Edit Master Profile > Profile > Network, click the interface on which to enable the speed-test server. The Edit Interface screen displays.
Select the General tab.
In the Speed-Test Server field, click the slider to enable a server.
Ensure that the interface category is WAN.
Select the Permissions tab, and then click Save.

Update the WiFi Interface Authentication Protocol

In Edit Master Profile > Profile > Network, click the WiFi box.

The WLAN screen displays.
Click the Ellipses icon of the WLAN network that you want to update, and then click Edit. The Edit WLAN screen displays.
Select the Advanced tab. The following screen displays.

For Wired Equivalent Privacy (WEP)-based authentication, enter information for the following fields.

Field	Description
Authentication (Group of Fields)
Protocol	Select the protocol: WEP Auto WEP Open WEP Shared Key
Key Length	Select the key length: 64 bits 128 bits
Key Type	Use the slider bar to select the key type: ASCII HEX
Key Text	For the ASCII as the key type, enter 5 characters for the key text. For the HEX key type, enter 10 characters for the key text.
Interface Name	Click in the Name field, and then select an interface name.

For WiFi Protected Access (WPA)-based authentication, enter information for the following fields.

Field	Description
Authentication (Group of Fields)
Protocol	Select the protocol: WPA WPA/WPA2 Auto WPA2
Mode	User the slider bar to select the mode: Enterprise Personal
Passphrase	Enter a passphrase (password), which can be from 8 to 63 characters.
Encryption	Select the encryption type: Auto CCMP Temporal Key Integrity Protocol (TKIT)
Interface Name	Click in the Name field and select an interface name.

Click Next, or select the Permissions tab, and then Click Save.

Update Security Policies and Rules

In the Edit Master Profile screen, select Profile > Security. The Policies tab displays the security policies, if any, that are associated with them.
(For Releases 12.1.1 and later.) Select the Profiles tab, and then click a profile name to display information about a profile.
To display information about a policy, click the policy name on the Policies tab. The Edit Policy screen displays. The following screenshot shows the Edit IP Filtering Policy screen.
To create a new rule or choose an existing rule for the policy, select the Rules tab. For more information, see Create a New Rule, below.
To display the inherited permissions for the default roles and change them, if desired, select the Permissions tab.
Click Save.

Configure QoS Policies and Rules

For information about configuring QoS policies and rules, see Configure QoS Policies and Rules.

Configure Traffic-Steering Policies and Rules

For information about configuring traffic-steering policies and rules, see Configure Traffic-Steering Policies and Rules.

Update or Add Services

You can update or add services, including those for BGP peer policy, CGNAT, DHCP, Director service templates, management server policies, user management policies, and VPN instances.

To update or add services:

In the Edit Master Profile screen, select Profile > Others. The following screen displays.
To update an existing DHCP service or add a new DHCP service, click the DHCP box. The DHCP screen displays.
1. To display or update information about the service, click an existing DHCP service, such as Enterprise-LAN-DHCP.v1 in the screenshot above.
2. To add a new DHCP service, click Add Service. You can create a new service or choose an existing service.

To update an existing CGNAT service or add a CGNAT service, click CGNAT. In the CGNAT screen, click Add Service to add a new service. You can create a new service or choose an existing service. The Create CGNAT screen displays. Enter information for the following fields.

Field	Description
Name	Enter a name for the CGNAT service.
Enable	The slider bar is in the Enabled position by default. To disable the CGNAT service, click the slider bar so that it is grayed out.
NAT Mode	Select the NAT mode: Basic NAT. This is the default. Destination NAT Dynamic NAT NAPT Twice Basic NAT No Translation Default: Basic NAT
Tenant	(For Releases 11.4.1 and later.) Select a tenant. The list displays the current tenant and all child tenants. If a tenant is not selected, the system displays the name of the current tenant only, not any child tenants.

Select the Criteria tab, and then enter information for the following fields.

Field	Description
Type (Source)	The Source type is selected by default, and you cannot change it. Select the type of source to use: IP Ranges—Enter an IP address range, such as 10.10.1.1-10.10.1.100, and then click the Check mark icon or press Enter. You can enter multiple address ranges. Subnets—Enter an IP address subnet, such as 10.1.1.0/24. VPN Name—Select a VPN name. Zones—Select a zone.
Type (Destination)	The Destination type is selected by default, and you cannot change it. Select the type of destination to use: Note: The IP Ranges and Subnets options are mutually exclusive; you can select one or the other, but you cannot select both of them. IP Ranges—Enter an IP address range, such as 10.10.1.1- 10.10.1.100, then click the Check mark icon or press Enter. You can enter multiple address ranges. Port—Enter a destination port number. Range: 1 through 65535 Default: None Port Range—Enter a destination port range, such as 80-88. Subnets—Enter an IP address subnet, such as 10.1.1.0/24. Zones—Select a zone.
Protocols	Select one or more protocols: ESP ICMP UDP 0 through 255

Field

Description

Type (Source)

The Source type is selected by default, and you cannot change it. Select the type of source to use:

IP Ranges—Enter an IP address range, such as 10.10.1.1-10.10.1.100, and then click the Check mark icon or press Enter. You can enter multiple address ranges.
Subnets—Enter an IP address subnet, such as 10.1.1.0/24.
VPN Name—Select a VPN name.
Zones—Select a zone.

Type (Destination)

The Destination type is selected by default, and you cannot change it. Select the type of destination to use:

Note: The IP Ranges and Subnets options are mutually exclusive; you can select one or the other, but you cannot select both of them.

IP Ranges—Enter an IP address range, such as 10.10.1.1- 10.10.1.100, then click the Check mark icon or press Enter. You can enter multiple address ranges.
Port—Enter a destination port number.
Range: 1 through 65535
Default: None
Port Range—Enter a destination port range, such as 80-88.
Subnets—Enter an IP address subnet, such as 10.1.1.0/24.
Zones—Select a zone.

Protocols

Select one or more protocols:

ESP
ICMP
UDP
0 through 255

Select the Action tab, and then enter information for the following fields.

Field	Description
Logging	Click the slider bar to enable logging to Versa Analytics.
Translated Sources	Select the translated sources based on VPN names or WAN connections: VPN Name—Select a VPN name. WAN Connection—Select a WAN connection. Select the translated sources from IP addresses, subnets, or IP address ranges: IP Addresses—Enter an IP address, and then click the Check mark icon or press Enter. You can enter multiple IP addresses. IP Ranges—Enter an IP address range, and then click the Check mark icon or press Enter. You can enter multiple IP address ranges. Subnets—Enter an IP subnet, and then the Check mark icon or press Enter. You can enter multiple IP subnets.

Field

Description

Logging

Click the

slider bar to enable logging to Versa Analytics.

Translated Sources

Select the translated sources based on VPN names or WAN connections:

VPN Name—Select a VPN name.
WAN Connection—Select a WAN connection.

Select the translated sources from IP addresses, subnets, or IP address ranges:

IP Addresses—Enter an IP address, and then click the Check mark icon or press Enter. You can enter multiple IP addresses.
IP Ranges—Enter an IP address range, and then click the Check mark icon or press Enter. You can enter multiple IP address ranges.
Subnets—Enter an IP subnet, and then the Check mark icon or press Enter. You can enter multiple IP subnets.

Select the Permissions tab, and revise the permissions, if needed.
Click Save to create the CGNAT service.

To display existing VPN instances or add new VPN instances, click VPN. The VPN Instances screen displays.
1. To display or update information about the instance, click an existing VPN instance.
2. In the Type field, select Branch or Hub.
3. To set or update the topology, click VPN and then select a topology. If you selected Hub in the Type field, the topology options are hidden.
4. Under Paths, select Direct Internet, Underlay, or both:
  
  Direct Internet—Enable or disable DIA for the VPN. If you enable Gateway, the appliance acts as an internet gateway for the enterprise and re-advertises default routes on the SD-WAN overlay to other appliances.
  
  Underlay—Enable or disable underlay routing to non-SD-WAN appliances over the MPLS network without performing NAT on the traffic. If you enable Gateway, the appliance acts as a gateway to non-SD-WAN networks and re-advertises routes from the MPLS underlay to the SD-WAN overlay.
To update an existing BGP peer policy or add a new policy, click + BGP Peer Policy. If you refer to a BGP peer policy in the BGP neighbor configuration on a WAN or LAN interface, you should attach the peer policy to the BGP peer policies list. For more information, see Configure SASE BGP Peer Policies.
To add or move a Director service template, click Director Service Templates. The following screen displays.
1. To move a service template up or down in the list, click Move. The following screen displays.
2. To choose which direction to move the rule, click Before or After.
3. Enter the rule number.
4. Click Move.
5. To add a service template, click + Select Templates. The following screen displays the available templates.
6. Select one or more service templates, and then click Add. The template is added to the Director Service Templates screen.
For Releases 11.1.1 and later, to update management server policies for NTP, SNMP, syslog, and TACACS+, or to add a new management server policy, click + Management Servers. For more information, see Configure Management Servers.
For Releases 11.3.1 and later, to create a user management policy or associate an existing user management policy with the master profile to add and manage VOS device users, click + User Management. For more information, see Manage VOS Users.
For Releases 11.3.1 and later, to apply different services templates to the devices in a master profile for redundant devices:
1. Go to Configure > Profiles > Master Profiles, and select a master profile for redundant devices.
2. In the Edit Master Profile screen, click Profile > Others.
3. Under Director Service Templates, click the Service Template box. The Director Service Templates screen displays the tenant's current service templates.
4. Click + Service Templates in the lower right corner of the screen. The Choose Service Template screen displays the available service templates.
5. Select one or more service templates, and then click Add. The templates are added to the Director Service Templates screen. By default, the service templates are added to both the primary and secondary devices in the redundant configuration. Note that the Appliance Type column displays only when you are editing a master profile for redundant devices.
6. To apply the service template to only one of the redundant devices, click the drop-down list and then select either the Primary or Secondary device in the pair.

Clone the Default Basic Master Profile

You can create a new basic master profile by cloning one of the default basic master profiles, changing the configuration objects as needed, and saving the new basic master profile with a unique name. For example, you could create a new master profile to apply to hub appliances, and a second new master profile to apply to spoke appliances.

Enter a new name for the master profile, then click Submit. You can then edit the new basic master profile as needed. For information on the master profile screens, see Add a Standard Master Profile, below.

Add a Standard Master Profile

To add a standard master profile:

In Tenants view, select the name of a tenant. If the default lifecycle is not the Configure lifecycle, select Configure in the left menu bar. The Configure screen displays.
To create a new master profile of type Standard, click Configure > Profiles > Master Profiles > Standard, and then click + Standard.

The New Master Profile screen displays.
In the Name field, enter a name for the new master profile.
In the Solution Tier field, select a Versa licensing solution tier.
For Releases 11.2.1 and later, in the Scope field, select if the master profile is for single tenant, multitenant, or subtenant. By default, Single Tenant is selected.
Click Next. The Subprofiles tab displays.
Click + Profile to add a subprofile to the master profile. You can create a new subprofile or reuse an existing one.

Reuse an Existing Subprofile

To reuse an existing subprofile in a new master profile:

In New Master Profile > Subprofiles tab, click Choose Existing. The Choose Subprofiles screen displays.
Select one or more existing subprofiles to use in the new master profile.
Click Add.

Create a New Subprofile

To create a new subprofile to use in a new master profile:

In the New Master Profile > Subprofiles tab, click + Profile. The following popup window displays.
Click the down arrow, select a profile type. The profile types are Security, Application, Device, Network Services, Topology, and, for Releases 11.3.1 and later, System.
Click Create New Profile. The Create Type Subprofile screen displays. The following screenshot shows the Create Security Subprofile screen.
Enter a name for the subprofile.
Select the Policy tab or click Next. The Policy screen displays.
Click + Policy to create a new policy or to reuse an existing one.

Reuse an Existing Policy

To reuse an existing policy:

Click Choose Existing. The Choose Policies screen displays.
Select one or more existing policies.
Click Add.

Create a New Policy

To create a new policy:

Select a policy type, and then click Create New Policy.

The Create Policy screen displays, and the General tab is selected. The following screenshot shows the Create IP Filtering Policy screen.
Enter a name for the new policy.
Click Next. The Rules tab displays. You can create a new rule or reuse an existing one.
Click Add Rule.

Reuse an Existing Rule

To reuse an existing rule:

Click Choose Existing Rule. The Choose Rules screen displays.
Select one or more existing rules.
Click Add.

Create a New Rule

To create a new rule:

Click Create New. The Create Rule screen displays. The following screenshot shows the Create IP Filtering Rule screen.
Enter a name for the rule.

Click Next. The Criteria tab displays. In the Criteria Type field, enter information for the following fields.

Field	Description
Address Group	Click in the field to the right of Address Group and select a group. You can select multiple address groups.
Location	Click in the field to the right of Location, and then select a location. Then, in the Match Type field, select a match type: Match Only Source Match Only Destination Match Source or Destination Match Source and Destination
Reputation	Click in the field to the right of Reputation, and then select one or more reputations.

Field

Description

Address Group

Click in the field to the right of Address Group and select a group. You can select multiple address groups.

Location

Click in the field to the right of Location, and then select a location. Then, in the Match Type field, select a match type:

Match Only Source
Match Only Destination
Match Source or Destination
Match Source and Destination

Reputation

Click in the field to the right of Reputation, and then select one or more reputations.

Click Next. The Actions tab displays.
In the Action field, select an action:
- Drop Packet
- Drop Session
- Allow
- Alert
- Reject
Click Save.

Configure a Multitenant Standard Master Profile

For Releases 11.2.1 and later.

A multitenant master profile allows you to create multitenant appliances for a provider organization. You can create new subtenants and you can attach existing subtenants while publishing the provider organization appliance that uses the multitenant master profile. Appliances are automatically created in the subtenants associated with the provider appliance that uses a multitenant master profile.

To configure a multitenant standard master profile:

Configure a standard multitenant with the scope Multitenant. Go to
1. Go to New Master Profile > General.
2. Enter a name for the profile.
3. Select the solution tier.
4. In the Scope field, select Multitenant.
5. Click Next.
Configure a device subprofile to add LAN Interfaces for the subtenants you want to onboard.
1. Go to New Master Profile > Subprofiles, click + Profile, select Device, and then click Create New Profile.
2. In Create Device Subprofile > General, enter a name for the subprofile.
3. Click Next.
4. In the Policy tab, click + Policy, select Interface, and then click Create New Policy. The Create Interface Policy screen displays.
5. In Create Interface Policy > General, enter a name for the interface policy.
6. Click Next. The Interfaces tab displays.
7. Click Add Interface and then click Create New. The Create Interface screen displays. You can also choose an existing interface.
8. The Create Interface screen displays.
  1. Enter a name for the interface.
  2. In the Category field, select Subtenant LAN. Note that to create a LAN for the provider organization, select LAN.
  3. In the Subtenant field, select the subtenant for which you are creating the subtenant LAN interface.
  4. Enter other required information.
  5. Click Next.
9. The Address and Routing tab displays.
  1. Enter the IPv4 address for the LAN interface.
  2. Select the VPN of the tenant in the VPN Name field. The VPN of the tenant you selected in the General tab is displayed by default.
  3. Click Next
10. Enter other information, if required.
11. Save the subtenant LAN interface. The interface that you added is displayed under subtenant LAN. For example:
12. Repeat this step for other subtenant LANs.
Create a Topology subprofile to add a VPN policy and VPN instances to associate subtenant VPNs with the standard master profile.
1. In New Master Profile > Subprofiles, click + Profile. Then select Topology, and click Create New Profile. The Create Topology Subprofile screen displays.
2. In Create Topology Subprofile > General, enter a name for the subprofile.
3. Click Next.
4. In the Policy tab, click + Policy, select VPN and click Create New Policy.
5. In Create VPN Policy > General, enter a name for the VPN policy.
6. Click Next.
7. In the VPN Instances tab, click Add VPN Instance > Create New. To select existing VPN instances, click Choose VPN Instance.
8. Select Create VPN Instance > General.
  1. Enter a name for the VPN instance for the tenant.
  2. Under VPN, select the subtenant for which to create VPN instance.
  3. Select the name of the VPN connection. The VPN connection of the subtenant selected is displayed by default.
  4. Enter other required information.
  5. Click Next and save the VPN instance. The VPN instance displays in the VPN Instances screen.
  6. Repeat this step for all subtenant VPNs.
9. Click Next. In the Permissions tab, set the permissions.
10. Save the VPN Policy. The VPN policy displays in the Policy tab.
11. Click Next. In the Permissions tab, set the permissions as required and then save the Topology subprofile.
Deploy the appliance associated to the standard master profile. When you publish, Concerto creates a subtenant appliance for each of the subtenants. For more information, see Concerto Deploy Lifecycle Overview.

Configure a Subtenant Standard Master Profile

For Releases 11.2.1 and later.

You can use subtenant standard master profile to configure services such as security, traffic steering, and application QoS for a subtenant. You can create application and security subprofiles only for a standard master profile.

To configure a subtenant standard master profile:

Go to New Master Profile > General.
Enter a name for the profile.
Select the solution tier.
In the Scope field, select subtenant.
Click Next.
In the Subprofiles tab, click + Profile, select Application or Security, and then click Create New Profile. Application and Security are the only subprofile options available for a subtenant standard master profile.
Enter other required information.
Save the subtenant standard master profile.
Deploy the appliance associated to the standard master profile. For more information, see Concerto Deploy Lifecycle Overview.

Supported Software Information

Releases 10.2.1 and later support all content described in this article, except:

Release 11.2.1 adds support for a new default basic master subtenant profile, Default-Basic-MP-Sub-Tenant, and for multitenancy configuration in the Default-Active-Active and Default-Basic-MP basic master profiles.

Additional Information

Configuration Hierarchies
Configure Profile Elements
Configure QoS Policies and Rules
Configure TCP Optimizations
Configure Traffic-Steering Policies and Rules