Skip to main content
Versa Networks

Versa Titan Release Notes for Releases 9.3.0 and 9.3.1

  1. Last updated
  2. Save as PDF

This document describes features, enhancements, bug fixes, limitations, and recommendations in the Release 9.1.0 Versa Titan software, for Releases 9.1.1, 9.3.0, and 9.3.1.

Note that the Versa Titan software supports Versa Operating SystemTM (VOSTM) Releases 21.2.2 and later. You must have the latest supported version of VOS on your devices. To check your software version, go to Inventory menu in the Titan Portal dashboard. To upgrade the software, see Upgrade Software.

For more information on VOS release and features, see Versa Operating System (VOS) Release Notes for Release 21.2.

July 25, 2022
Revision 4

New Features

This section describes the new Versa Titan features introduced in Releases 9.1.0 and later. All features are introduced in Release 9.1.0 unless otherwise noted.

Note that for Releases 9.3.1 and later, Order Management for MSPs (Titan Shop) is deprecated and all the functionalities are available in the Titan Portal.

Titan Portal

Audit Logs

  • Audit logs—The Audit Logs option on the Titan Dashboard allows you to view and download audit logs, and it provides details about the API calls and responses. See Manage Device Inventory.

    portal-audit-logs.png
     
  • Audit log display for customers—To display audit logs on a customer's Titan Dashboard, select Audit Logs when you are creating the customer.

    new-customer-audit-log.png

Default Configuration

  • Default template with additional view for devices—(For Releases 9.3.0 and later.) You can edit or clone the default template and the default configuration using the Wrench icon on the bottom menu bar in the Configure dashboard. All sites created after you save the changes use the new values. You can select the new configuration template when you configure a new site. See Titan Portal Home Screen.

    template-select-new-site.png

    In the Select Template window, you can clone the template and save as a new template, delete a custom template, and view the devices that use the template.

    default-template-select.png

DNS Proxy

  • DNS Proxy tab—(For Releases 9.3.0 and later.) You can configure a Titan device to act as a DNS proxy by creating DNS proxy profiles and rules. You can configure DNS proxy configuration only on devices using the secure application optimization license. See Configure a DNS Proxy.

    dns-proxy-tab.png

Inventory

  • Base model and add-on NIC for CSG Series appliances—Separation of base model and add-on NIC for CSG300, CSG700, and CSG1000 Series appliances. See Add Devices Using Titan Portal.

    portal-add-device-details-ccsg.png
     
  • cCSG appliances—cCSG licenses with SKUs for cCSG medium, cCSG large, and cCSG x-large. You can deploy the software and license on any cloud.

    portal-add-device-details-other-hardware.png
     
  • Custom logs profile—Titan Portal sends Syslog messages when the match conditions are met. The default behavior is none. You need to configure Syslog server in Inventory > Management Profile > Custom Logs Profile. See Manage Device Inventory.

    portal-inventory-management-custom-log-profile.png
     
  • License details view in dashboard—(For Releases 9.3.0 and later.) A store administrator, MSP, or reseller can view the number of total, active, SASE licenses in the organization dashboard.

    organization-add-devices-option.png
     
  • Management profile—Custom Logs Profile and SNMP Profile have moved under Management Profile (Inventory > Management Profile).

    RN-mgmt-profile.png
     
  • Secure application optimization license—(For Releases 9.3.0 and later.) The secure application optimization license tier supports DNS proxy configuration, TCP optimization, steering with voice MOS value, and hub–controller. You can use this license tier on all devices except CSG350 and CSG730 devices.

    secure-application-optimization.png
  • SNMP profile—You can configure SNMP server information and receive all traps generated by the device for management by configuring an SNMP profile in Inventory > Management Profile > SNMP Profile. See Manage Device Inventory

    RN-snmp-profile.png
  • Spoke groups—You can configure spoke groups from Inventory > Spoke Group. For spoke groups to be available, hubs and spokes must be activated. See Manage Device Inventory.

    portal-inventory-spoke-group.png
     
  • Upgrade and installation of VOS software—Inventory menu has an action for self-upgrading and installing VOS software. Customers and MSPs can upgrade their devices from the Inventory menu. See Manage Device Inventory.
  • Upload CA certificates—You can upload CA certificates for the SASE gateway from the Inventory menu. See Manage Device Inventory.

Miscellaneous

  • Miscellaneous tab—You can configure an Application Layer Gateway (ALG) profile, SNMP, override DF bit, NTP server, and syslog server in the Miscellaneous tab for a branch. In Release 9.1.0, SNMP is supported on LAN and NTP is supported on WAN ports. See Configure Miscellaneous Parameters.

    portal-configure-miscellaneous-tab.png

Monitor

  • LED actions—In Monitor view, LED and actions options have been added. The LED shows whether the device is in sync or out of sync with the configuration on the Director node and Titan. The new actions are:
    • Sync Configuration (With Titan)
    • Restart Services (on the Device)
      verify-device-status-action.png
  • Legends view—You can view legends from the Dashboard on the Configure and Monitor menus. See Titan Portal Home Screen.

    portal-configure-site-legend.png
  • Ping—You can run a ping test from the dashboard to any LAN port that is up.

    monitor-network-lan-ping.png
     
  • HA view enhancements—(For Releases 9.1.1 and later.) In honeycomb view, the activation progress bar shows registering, configuring, an rebooting progress text. For HA deployments, the primary device has a pink border, a text label that shows primary device is open, and text that shows reason for device activation failure.
    • Registered—When you click  start activation, the first action in the activating a device process is registered. The honeycomb progress bar displays this.
    • Configuring—The honeycomb progress bar display changes from registered to configuring after the post staging starts.
    • Rebooting—The honeycomb progress bar display changes from configuring to rebooting as the device reboots when post staging is complete.

      site-registering.png          site-configuring.png        site-rebooting.png

      site-config-ha-primary1.png       site-config-ha-primary.png

      site-config-ha-activation-failure.png
  • Tasks list—The tasks list, on the Titan Portal home page, provides visibility about Titan and Versa Director tasks. See Titan Portal Home Screen.

    task-view.png

Network

  • Add/Delete WAN and LAN interfaces—You can add or reallocate new WAN and LAN interfaces on active devices without undeploying the devices. You must first lock the device before changing WAN and LAN interfaces, and then you must publish the changes. See Configure WAN Connections.

    network-wan2.png

    sase-create-site-lan1-remove.png
  • Advance Configurations (Customized) window moved to Configure Advanced WAN settings—(For Releases 9.3.0 and later.) The WAN monitor for IP SLA configuration options have moved to the Advance Configuration window. See Configure WAN Connections.

    network-wan2.png
     
  • Corporate WiFi and guest WiFi updates—(For Releases 9.3.0 and later.) When you configure corporate and guest WiFi, you can select Broadcast SSID to display the name of network in the available WiFi connections list and select an encryption protocol. For a device that is already deployed or activated, you must first lock the device before you can enable or disable the broadcast SSID, or change the encryption protocol. See Use the Configure Dashboard.

    wifi-edit-network.png
  • Device IP address reservation—(For Releases 9.1.1 and later.) For device IP address reservation, the IP address must be part of respective interface IP subnet instead of DHCP pool. See Configure LAN Connections.
  • Enable high availability (HA) cross-connect port—(For Releases 9.1.1 and later.) You can enable HA cross-connect port on any of the LAN ports on the primary device and the cross-connect port is not allowed to delete on the primary or secondary device. See Configure LAN Connections.

    network-lan-ethernet-ports3.png
  • External interface option for LAN port forwarding—(For Releases 9.3.1 and later.) When you create a port-forwarding rule, the traffic flow for address translation method is as follows, depending on the type of NAT you configure:
    • For the destination NAT type, the external interface is the WAN (source) interface and the traffic flow is from the WAN interface to the LAN (destination) servers.
    • For the static or source NAT type, the external interface is the WAN interface and the traffic flow is from the LAN servers to the WAN interface.
    • For the NAT type of no NAT, the traffic flow is on both the LAN and WAN interfaces. See Configure LAN Connections.

      port-forwarding-add-rule-ext-interface.png
       
  • IPsec VPN IKE and IPsec transforms—For IPsec VPNs, you can configure IKE versions and IPsec transforms. See Configure WAN Connections.

    portal-ipsec-vpn.png
  • IPsec VPN policy-based traffic steering—For IPsec VPNs, you can configure policy-based traffic steering based on source and destination IP address match conditions.

    portal-ipsec-vpn1.png
  • LAN DHCP client options update—(For Releases 9.3.0 and later.) DHCP client option configuration supports the new data type value hexadecimal string.
  • Link monitoring—(For Releases 9.1.1 and later.) In hot-standby mode, LTE dynamic monitoring through WAN and LTE links for next-hop reachability and/or remote IP reachability to detect link failure is enabled. Monitoring WAN and LTE links are enabled for both next-hop monitoring and/or remote IP monitoring with the IP address 8.8.8.8, with ICMP probes. See Configure WAN Connections.
    If you enable next-hop monitoring on LTE, next-hop ICMP probes are initiated to install routes. But many service providers block next-hop ICMP probes. In such cases, you can disable next-hop monitoring on LTE and add only a reachable IP address for monitoring (for example, 8.8.8.8). Note that automatic switchover to secondary LTE or WAN does not work if all ICMP probes are blocked.
    In cold-standby mode, LTE or WAN circuit and link monitoring are disabled. When you enable cold standby for LTE or any other interface, Titan monitors primary or secondary path using IP SLA and the LTE link state goes to Up only when the primary or secondary WAN interfaces are down.
  • Network Address Translation (NAT) types in port-forwarding rules—(For Releases 9.1.1 and later.) For rule types in Network > LAN > Port Forwarding > Add Rule, DNAT and SNAT have been renamed to destination NAT and static NAT, and source NAT added to the list. For static NAT, you cannot configure internal and external ports. For No NAT, All WAN is added to the interface list to perform no translation for all WANs on the device. See Configure LAN Connections.

    network-lan-port-forwarding-add-rule.png
  • PPPoE on Ethernet interfaces—(For Releases 9.1.1 and later.) When you configure PPPoE on Ethernet interfaces, the service name and access concentrator fields show values.
  • Primary and secondary WAN interface priority—(For Releases 9.3.1 and later.) For internet-bound and SD-WAN traffic, a hot-standby circuit has a lower preference than the primary circuit. You can create rules to steer traffic on the interface. Titan sends DIA traffic to a hot-standby interface only if the primary interface is down.
  • Public WAN IP address on hubcontroller behind a NATed firewall interface—(For Releases 9.1.1 and later.) For a hub–controller topology, you can enable a NAT firewall and enter the public IP address for WAN interface behind the firewall/NAT.
  • Traffic shaping—(For Releases 9.3.0 and later.) You can configure traffic shaping per WAN port and assign guaranteed rate and transmit rate to different outbound queues in percentage. You need to configure traffic shaping in Network > WAN > Advance Configurations (Customized).

    wan-advance-configuration.png
  • Uplink and downlink bandwidth options—You can configure the uplink and downlink bandwidth for WAN and LTE ports in the WAN > Advanced Configuration, to use for traffic shaping and QoS on the interfaces. You can enter the local internet service provider's (ISP's) expected speeds.

    wan-advanced-config.png

Routing

  • EBGP, OSPF, and static routing—You can configure EBGP, OSPF, and static routing on the Routing tab. Configuration for static LAN and WAN has moved to the Routing tab. See Configure Routing.

    configure-static-routing.png

SASE

  • Delete a SASE tenant—(For Releases 9.3.0 and later.) MSPs and resellers can delete a deployed and activated SASE tenant from the gateway, from Inventory > Action > Delete Tenant. See Manage Device Inventory.

    portal-inventory-actions.png
     
  • IPsec tunnel address pool for VSA client—For a VSA client, you can configure an IPsec IP address pool. You specify the starting and ending IP addresses of the pool and the netmask. See Configure a Secure Access Service (Remote Access VPN) Template.

    portal-versa-secure-access-ipsec.png
  • LAN updates for a SASE gateway tenant—(For Releases 9.1.1 and later.) On a private SASE gateway, you must make LAN section changes for a tenant in the tenant context and not in provider context. See Configure LAN Connections.

    sase-tenant-network-screen.png

    sase-tenant-network-screen1.png
  • Private SASE gateway—You can configure a private SASE gateway for customers using CSG770, CSG1300, CSG1500, vCSG-L, and vCSG-XL devices. See Add SASE Gateway Devices.

    portal-organization-details-add-device-details-sase.png
     
  • Private SASE gateway for MSP—You can configure a private multitenant SASE gateway for customers using CSG770, CSG1300, CSG1500, vCSG-L, and vCSG-XL devices.
  • Private SASE gateway using custom LAN port—(For Releases 9.1.1 and later.) For a private SASE gateway, you can use LAN port 5 for VLAN allocation to a tenant when you add gateway service for tenant with a customized VLAN advanced option. If you add a gateway service without the advanced option, VLAN is added to port 2 by default.
  • SASE gateway ALG profile—(For Releases 9.3.0 and later.) You can configure an application-level gateway (ALG) profile and override the DF bit. You configure this in the Miscellaneous tab for a SASE Gateway. See Configure Miscellaneous Parameters.

    network-miscellaneous-sase-alg.png
  • Upgrade and renewal options in SASE gateway—(For Releases 9.1.1 and later.) SASE gateway license upgrade and renewal have separate options in Inventory > Device Type > SASE Gateway. If the license is expired, you receive an email to renew the license and the configuration screen becomes read-only. A blue LED, in the admin configuration for the site identifies the device whose license has expired. See Configure and Activate SASE Gateway Devices.

    sase-view-sase-licenses.png
     
  • VSA two-factor login local—(For Releases 9.3.1 and later.) You can select email OTP, or TOTP through a third-party authenticator application on a mobile device to receive an OTP for login for users created on the VSA local gateway with the two-factor authentication option. For VSA two-factor authentication login with AD users, you can enable two-factor authentication and receive only a TOTP for authentication. See Configure a Secure Access Service (Remote Access VPN) Template

    secure-access-client-config.png

Security

  • Enable reorder rules—You can enable reorder rule in default template firewall rules.
  • Multiple source and destination IP address and hostname in security, traffic-steering, and TLS decryption rules—(For Releases 9.3.0 and later.) For security, traffic-steering, and TLS decryption rules, in the Match Criteria > Address and Hostname tabs, you can add and remove multiple source and destination IP addresses and hostnames. See Configure Security.

    portal_security_add_firewall_rules_match_criteria.png
    portal_security_add_firewall_rules_match_criteria_address1.png
    portal_security_add_firewall_rules_match_criteria_address_source.png portal_security_add_firewall_rules_match_criteria_address_destination.png
     
  • TLS decryption—You can download a Versa-generated CA certificate and key from the Titan Dashboard. You can upload you own CA certificate and key. Default decryption rules and policy are provided for provider organizations. Tenant users can create their own decryption rules and policy. See Configure TLS Decryption.

    configure-security.png

SSO

  • External SSO authentication—(For Releases 9.3.1 and later.) Titan Portal offers single sign-on as a login mechanism between service providers and identity providers.You must enter an organization name to direct the webpage to an authenticator, such as Okta or One Login. See Add and Manage New Customers on the Titan Dashboard.

    org-add-new-customer.png

    When adding a user in the Users > Add User window, an operator, store admin, MSP, or reseller can select External SSO Auth to enable SSO.

    user-add-msp.png

     sso-login-page.png

    sso-login-org-name.png
  • External SSO profile—(For Releases 9.3.1 and later.) You can configure an organization-level SSO profile for external authentication and authorization. To set up an external SSO profile, go to Settings > Single Sign-On on the Titan dashboard. For All IdP users, an external IDP authenticates and authorizes the user, and then Titan Portal proceeds with access for the user. For Titan-known users only, an external IdP authenticates the user, and then Titan authorizes the same user in Titan database and proceeds with access. See Configure Single Sign-On for Titan Portal.

    sso-settings.png

    sso-settings-add-info.png

Traffic Steering

  • Circuit selection criteria for steering profile—(For Releases 9.1.1 and later.) When you choose only a specific value for the circuit selection criteria in a Steering profile, only that value is added to the configuration. For example, if you select packet loss with 50 percent as circuit selection criteria, the configuration adds only packet loss 50 percent. In previous releases, the configuration added low and packet loss of 50 percent. See Configure Traffic Steering.
  • MOS value threshold for a traffic-steering circuit profile—(For Releases 9.3.0 and later.) You can specify the MOS value threshold when you configure a circuit in a traffic-steering profile. See Configure Traffic Steering.
  • Steering circuit selection based on priority—(For Releases 9.3.0 and later.) You can select WAN circuit priorities for local and remote clients. To select the priority value, go to Steering > Profile > Real Time > Add and click Select Circuit. See Configure Traffic Steering.

    configure-steering-profile-realtime-circuit.png
  • Steering rule update—(For Releases 9.3.0 and later.) All traffic-steering rules are located in one place, and you can reorder the rules. See Configure Traffic Steering.

    configure-steering-screen-rules.png

Users

  • Local, external, and VSA options in the Add User menu—(For Releases 9.3.1 and later.) During SSO creation, if you select Allow Users as Titan-Known Users Only, an enterprise admin can select local, external, or VSA user in the Add Users menu in an organization. Note that the VSA option applies and is visible only to SASE clients that purchased VSA service with local authentication. See Manage Users.
    • Local—For a local user, Titan Portal automatically sends an email to the user with instructions about how to set a password for Titan Portal.
    • External—For an external user, the authentication request goes to the external IdP and the user is authorized to access Titan Portal. The user exists in Titan database.
    • VSA—For VSA users, client users are set up on a SASE gateway database. An email is sent to set up the VSA client.

      user-add-secure-vpn-user.png
       
  • Manage customers from the Titan Dashboard—You can order new devices and upgrade and renew customers from the Titan Dashboard. The customers that you create and manage from dashboard are not synced to the MSP portal (shop). If you plan to use MSP portal, continue to use it to create customers and manage licenses. See Add and Manage New Customers on the Titan Portal Dashboard.

    portal-organization-home-details.png
  • MSP can add users—A managed service provider (MSP) can add users on Titan Dashboard to manage their customers. New roles are provided for MSP, Reseller, and Shop.
  • Reseller can create other resellers—A reseller can specifically define the customer that they want to manage on the Titan Dashboard in the Titan Portal. You can assign the privileges as Dashboard Admin, Manage Customer, Manage Service, and Monitor Customer Network.

Titan Mobile

  • Management Tools menu—The Management Tools menu provides options for the following:
    • Sync Configuration (with Titan)
    • Restart Services (on the device)
    • Reboot Device

      mobile-management-tools.png
       
  • Multiple source and destination IP address and hostname in security, traffic-steering, and TLS decryption rules—(For Releases 9.3.0 and later.) For security, traffic-steering, and TLS decryption rules, in the Match Criteria > Address tab and Hostname tab, you can add and remove multiple source and destination IP addresses and hostnames.
  • Ping—You can run a ping test from the dashboard to any LAN port that is up.

    mobile-network-lan-status.png
     
  • Steering circuit selection based on priority—(For Releases 9.3.0 and later.) You can select WAN circuit priorities for local and remote clients. To select the priority value, go to Steering > Profile > Real Time > Add and click Select Circuit.
  • Uplink and downlink bandwidth options—You can configure the uplink and downlink bandwidth for WAN and LTE ports, to use for traffic shaping and QoS on the interfaces. You can enter the local ISP's expected speeds.

    mobile-configure-wan.png

Limitations and Behavior Changes

Limitations and Behavior Changes for Release 9.1.0

The following are the limitations and behavior changes in Release 9.1.0.

  • To reallocate, add, or delete WAN or LAN interface:
    1. Lock the configuration.
    2. Make all the changes.
    3. Unlock and publish the changes.
  • To configure SASE:
    1. Make all the changes and save the configuration.
    2. Publish after you have made all configuration changes.
  • You must deploy hubs and spokes before you configure spoke groups.
  • You can run a ping from the dashboard on any LAN port that is up.
  • The Live Monitoring menu is deprecated.
  • Versa Analytics has moved from the left menu bar of the Titan Portal Home page to Settings drop-down with Versa Director access.
  • All SASE gateways must have the same services, and SWG and VSA must match essential or professional service tier.
  • When you order a private SASE gateway for an MSP, you cannot later upgrade from the Essential service to the Professional.
  • The subscription duration for the private SASE gateway for MSP must be more than the subscription duration configured for the tenant SASE gateway.
  • MSPs and resellers can use Shop or Dashboard to create customers and add hardware, licenses, and private gateways. However, you cannot use a combination of both, because there is no synchronization between Shop and Dashboard. If you start with Shop, use shop for all activities, and if you start with a Dashboard, use the dashboard to complete the activities.
    In a private SASE gateway, you cannot reassign or add LAN and WAN ports after the ports are activated.
  • You can use WiFi or GZTP to activate private SASE gateway devices. You cannot use Versable.
  • You cannot activate private SASE gateway in the Titan Mobile application. Use the Titan Portal instead.
  • For firewall and steering rules, you cannot configure custom logs for tenants on private multitenant SASE gateways.
  • You create hub or hub controller regions from the Titan Dashboard. However, only the Director administrator can delete the regions, because they cannot be deleted from the Titan dashboard. This is because regions are not tenant-specific, and they are used by multiple tenants and provider organizations.
  • When you upgrade a security package (SPack) and a device, upgrade the device first and and then upgrade the SPack. If you upgrade both at the same time, one of the upgrades fails.
  • Client pools on a private SASE gateway VSA must be large enough to distribute to the tenants. If the pool is exhausted, MSP must buy additional VSA client licenses.
  • After you add an IPsec profile, refresh the rules in the Security tab to avoid issues while publishing.
  • Before you delete an IPsec profile, you must delete the routes attached to the IPsec profile.
  • You must configure VLAN and IP address for sub tenants under the MSP provider tenant. The Ethernet ports section will be grayed out under the tenant organizations.
  • You add customized VLAN at the time of orchestration. After you deploy and activate the service, you cannot change the VLAN ID but you can change the IP address.
  • If you do not select the customized VLAN at the time of orchestration, you get the VLAN ID (tenant ID) and DHCP auto-assigned those you cannot change.
  • PPPoE supports xDSL interfaces. Note that DSL is supported only on CSG355, CSG365, CSG1300, and CSG1500 appliance models.
  • You can activate xDSL devices only via Versable.
  • You can configure one PPPoE interface each on the WAN1 and WAN2 ports. The WAN3 and WAN4 ports do not support PPPoE.
  • PPPoE does not support WAN with VLAN for WAN Port0.
  • When you activate CSG300 Series appliances using the Versable activation method, the appliance may experience timeout issues. However, the activation will be successful.
  • If you use autodeploy spoke from Shop, Titan does not support the spoke group. To select a spoke group in the Site menu, drag and drop it from the dashboard.
  • In the Mobile App, if you activate HA device with the Versable activation method, you must switch off the secondary device to activate primary device, and vice versa.
  • If you use cCSG as a private gateway, the device must have two WAN ports and one LAN port.
  • Titan Portal does not support deletion of organization on multi-tenant SASE. If you want to delete an organization, contact Versa Support NOC.

 

Limitations and Behavior Changes for Release 9.1.1

The following are the limitations and behavior changes in Release 9.1.1.

  • If you want to delete the rules added before Release 9.1.1, you (or the NOC) must configure services for that rule from the Director node and commit to device before deleting the rule. For example, if you added the rule DNATTEST, create the service with the postfix rule name_frd (DNATTEST_frd).

Limitations and Behavior Changes for Release 9.3.0

The following are the limitations and behavior changes in Release 9.3.0.

  • In SD-WAN traffic-steering rules, you cannot select the destination zone as SD-WAN based on source zone only. For DIA traffic steering, the destination zone is available only for spoke device.
  • When you delete a profile, the SNAT pool created during the profile creation is not deleted and the SNAT pool is available when you create another profile. To delete the SNAT pool, you must delete it inside the SNAT pool profile and then publish.
  • You cannot delete a LAN or WAN interface on an HA primary device in lock mode if a DNS proxy profile is configured with LAN or WAN interfaces on the HA secondary device. You must delete the DNS proxy configuration on the HA secondary device before deleting the LAN or WAN interface on the primary device.
  • In the server settings for a DNS proxy rule server, you cannot configure monitor for a LAN network. You can configure monitor only for site and WAN network.
  • After you choose the template when you are creating the site, you cannot see which template is selected for the device from the GUI. However, you can view the devices associated with templates from the default configuration.
  • DNS proxy profile supports site and network to redirect DNS packets. For undeployed sites, the DNS profile has an incomplete configuration on the Director and Titan Portal.

Recommendations

Recommendations for Release 9.1.0

This section describes recommendations for Release 9.1.0.

  • Before you delete the private SASE gateway for MSP, deactivate the tenants and organizations on a private SASE gateway.
  • When an upgrade is in progress, do not publish any configurations, and do not reboot or reset the device until the upgrade process completes. Otherwise, the state of the upgrade becomes unknown.
  • Creating a private SASE gateway is a multistep process. Before you add tenants, see Deploy SASE Gateway Services, and test the gateway before you add tenants. Note the following:
    • A public FDQN is required.
    • You must upload the CA certificate of MSP before you create a tenant.
    • You must activate the device so that VSA tab is write-enabled.
    • You must configure VSA before trying the VSA client.
  • If an MSP wants to use their own SASE gateway, go to the MSP Organizations page, add a device into the organization's cloud gateway, and add the local database or LDAP.
  • When you update DNS server settings on WAN interfaces on an HA site, you need to be in lock mode.
  • You must download and update SPack on the device from Inventory menu for some advanced security features to work correctly. To download and upgrade SPack, see Upgrade Software.

Recommendations for Release 9.3.1

This section describes recommendations for Release 9.3.1.

  • You can also use the existing authentication method to log in to Titan Portal.
  • If you are using both the existing and external authentication, you must enter organization name for the external authenticator whenever you log in. Keep the company or organization name short and unique.
  • When you create an organization, add the first admin name, and select external SSO is selected, this admin user has local login privileges so that they can select SSO in dashboard and configure the SSO parameters.
  • Legacy users created in the dashboard and later added to external SSO receive local user login or external SSO login.
  • If external SSO does not provide the roles and privileges when a user logs in, the read and write access privileges are the enterprise's default privileges for enterprise users.
  • Ensure that you configure a call back URL, a service provider identity ID, and external ID on the external SSO. These values are provided in the view SSO Profile configuration popup window.
  • You cannot add a local user on Titan Portal and an external user on the IdP.
  • When a user logs in to Titan Portal, the database stores the user in its profile. Even if you change from Known Titan Users to All IDP Users, the user can log in to Titan Portal.
  • For privileges such as read or write access created both locally and on the IdP, the IdP overrides the local privileges during the login process.
  • For Release 9.3.1, Titan-generated rules are visible. In previous releases, these rules were hidden. The Titan-generated default rules for SASE gateway, VSA, and SWG are disabled by default. You can enable these rules based on the enterprise's security requirements. Note that you can disable or reorder the Titan-generated rules, but you cannot delete them.
  • To change the DSCP value in an existing rule, you must delete the rule and then add a new rule with a new DSCP value. If you edit or update an existing rule with a new DSCP value, the configuration on the device does not change.

Revision History

Revision 1—Release 9.1.0, November 5, 2021
Revision 2—Release 9.1.1, March 29, 2022
Revision 3—Release 9.3.0, April 7, 2022
Revision 4—Release 9.3.1, July 25, 2022

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Titan
  2. Tags
    This page has no tags.