Propagate SSE Configurations to Subtenants

You can propagate Security Service Edge (SSE) configurations from a parent tenant to its subtenants, ensuring consistent and efficient management of shared settings. This simplifies configuration tasks and saves time, particularly for common policies that service providers (SPs) or managed service providers (MSPs) may need to enforce across all customer tenants, such as Internet Protection rules.

Use this feature when you have existing SSE configurations for a tenant that you also want on one or more subtenants. Configuration propagations are not supported for the following configurations: site-to-site tunnels, secure access, and VPN settings. Enterprise-specific configurations, for example, anything requiring uploads (such as certificates) are not supported.

The following procedure shows how to propagate changes for internet protection rules.

To propagate your tenant changes to one or more subtenants:

1. Go to Configure > Security Service Edge > Real-Time Protection > Internet Protection. 
   
   
   
   The Internet Protection Rules List screen displays.
2. Select a rule, and then click Propagate in the top menu bar. Note the Propagate icon does not display if there are no subtenants for the current tenant. 
   
   
   
   The following screen displays all enabled subtenants for the current tenant. 
   
   
3. Select one or more subtenants to which you want to propagate the rule or rules. To select all subtenants, click Sub-Tenants.
   
   In this example, one subtenant is selected, as well as the option to overwrite existing rules with the same name (checkbox). If the selected rule is already present for the target tenant and you want to overwrite the contents with that of the parent tenant rule, select the Overwrite existing rules with the same name checkbox. Note, all dependencies of the selected rule or entity will be overwritten. For example, if an IP rule has a URLF Profile dependency, and that profile was modified in the parent tenant, the updated version will overwrite the existing one during propagation.
   
   By default, if the target tenant already contains this rule, even if it is different, it is ignored.
     
4. Click Submit. The Propagating status screen displays.
   
   
   
   Note: When you propagate SSE configurations between multiple selected subtenants, all the SSE configurations that are referenced within the selected configuration are included in the propagation, such as an EIP Profile being referenced in an IP rule. 
5. To view the status of the propagation, click Tasks on the Internet Protection rules page, and then open the task to see status information.