This section describes the features of the VMware SD-WAN Orchestrator alerting subsystem.
Alerts and Notifications
The following figure provides a basic overview of the alerts and notifications.
The alerting subsystem implements three pipelined functions.
| Function | Description |
|---|---|
| System Monitoring | Detection and tracking of system status, including Edge, VPN, Gateway and VMware SD-WAN Orchestrator states. System and entity states are recorded in a database. |
| Trigger Detection | Firing and recording of alert-triggers when system states are considered notification-worthy. The transition from a monitored state to an alert trigger is configurable, for example how long a state should persist before an alert-trigger is fired. The triggers are recorded in a database. |
| Notification Monitor | Notification of interested parties when alerts triggers are recorded. Notification is configurable by a customer. Customers can define who should receive notification for each event type, how soon, and how often. This process results in the delivery of notifications to configured recipients and the recording of notification entries in a database. |
System States
The Alert feature will detect and monitor three system states:
| State | Description |
|---|---|
| Edge Up / Down | Determined by the presence or absence of heartbeats from the Edge. |
| Link Up / Down | Determined by the presence of link statistics from the Edge. |
| VPN Tunnel Up / Down | Derived from status events from the gateway to the VMware SD-WAN Orchestrator |
Notifications
When an alert trigger is recorded in the database, notification is sent immediately to the comma / space separated list of email address in the vco.alert.mail.to system property. If no value is configured there, no notification is delivered. This notification is meant to alert VMware SD-WAN service support / operations personnel of impending issues before the customer is notified.
The customer is notified after the ‘notification delay’ that was configured for the corresponding alert type. If the customer has not configured the alert type, no notification is sent other than the operator notification. If the vco.alert.mail.cc property is configured, a copy of the customer’s email will be sent to the list of addresses defined.
Parameterization of the alert emails is controlled by the ‘mail.*’ system properties. These define the SMTP relay server, the reply-to address, etc.
The following system properties configure the behavior of state monitoring, alert generation, and notification.
Monitoring
- vco.monitor.enable - boolean that globally activates or deactivates monitoring of enterprise states (Edge, Link, and VPN tunnel). This flag supercedes vco.enterprise.monitor.enable and vco.operator.monitor.enable so it can be used to turn off all monitoring with a single property. The default value is true.
-
vco.enterprise.monitor.enable- boolean that globally activates or deactivates monitoring of enterprise states (Edge, Link and VPN tunnel). This property can be used to terminate monitoring when a VMware SD-WAN Orchestrator will be brought down / up or when network connectivity to the VMware SD-WAN Orchestrator is down. Setting the flag to false prevents the VMware SD-WAN Orchestrator from changing entity states and triggering alerts. The default value is true. - vco.operator.monitor.enable - boolean that globally activates or deactivates monitoring of operator entity states (gateways only in Bacardi release). This property can be used to terminate monitoring when a VMware SD-WAN Orchestrator will be brought down / up or when network connectivity to the VMware SD-WAN Orchestrator is down. Setting the flag to false prevents the VMware SD-WAN Orchestrator from changing gateway states. The default value is true.
Alerts
-
vco.alert.enable- boolean that globally activates or deactivates the generation of alert triggers. This flag supercedesvco.enterprise.alert.enableandvco.operator.alert.enableso it can be used to turn off all alerting with a single property. The default value is true. -
vco.enterprise.alert.enable- boolean that globally activates or deactivates the generation of alert triggers. Iftrue, state changes are allowed to generate alert triggers in the database. Iffalse(and ifvco.enterprise.monitor.enableistrue), state changes are monitored and recorded but no alerts will occur and no triggers will be visible on the VMware SD-WAN Orchestrator. The default value istrue. -
vco.operator.alert.enable- The default value istrue.
Notification
-
vco.notification.enable- boolean that globally activates or deactivates the delivery of notifications to both operator and enterprise recipients. This flag supercedesvco.enterprise.notification.enableandvco.operator.notification.enableso it can be used to turn off all alert notifications with a single property. The default value istrue. -
vco.enterprise.notification.enable- boolean that globally activates or deactivates the delivery of notifications to enterprise recipients. If monitoring and alerts are activated, the effect of notification deactivate is to processe alert triggers as normal but notifications are not sent (they are permanently lost, they will not be sent at a later time). The default value is true. -
vco.operator.notification.enable- boolean that globally activates or deactivates the delivery of notifications to operator recipients. If enterprise monitoring and alerts are activated, the effect of notification deactivate is to skip the notification of operator recipients (notifications are permanently lost, they will not be sent at a later time). The default value is true.
-
vco.alert.mail.to- all triggered alerts generate an email to the list of addresses configured in this system property. This is meant to be used to pre-alert VMware SD-WAN service support before the customer sees an alert. If the value is empty or contains bad email addresses, no pre-notification will be sent. -
vco.alert.mail.cc- alert emails sent to customers will be CC’d to the list of email addresses configured in this system property. This is meant to be used as a ‘VMware SD-WAN service-sees-what-the-customer-sees’ support feature. If the value is empty or contains bad email addresses, no cc notification will be sent.
SMTP must be configured or emails will not be sent.
- mail.* - configure the SMTP parameters for email sent from the VMware SD-WAN Orchestrator.
-
mail.smtp.auth.pass- SMTP user password. -
mail.smtp.auth.user- SMTP user for authentication. -
mail.smtp.host- relay server for email originated from the VCO. -
mail.smtp.port- SMTP port. -
mail.smtp.secureConnection- use SSL for SMTP traffic.
-
session.options.pkiEnabled- expose PKI configuration and status pages. -
session.options.enablePki- enable PKI.
-
edge.offline.limit.sec- if this number of seconds passes without detecting a heartbeat from an Edge, a state transition from CONNECTED → DEGRADED or DEGRADED → OFFLINE is made. The default value is 60 seconds. -
edge.link.unstable.limit.sec- if this number of seconds passes without the receipt of link statistics for a link, a state transition from STABLE -> UNSTABLE is made. The default value is 360 seconds (one minute longer than the link status push interval). -
edge.link.disconnected.limit.sec- if this number of seconds passes with the receipt of link statistics for a link, a state transition to DISCONNECTED is made regardless of the current state. The default value is 720 seconds. -
edge.deadbeat.limit.days- edges that have not been heard from in this many days are not considered for alert generation. This is primarily used to prevent large numbers of alerts from being generated when the feature is first deployed.
-
vpn.disconnect.wait.sec- system wait interval after receipt of a VPN DISCONNECTED or VPN_FAIL event before a transition from CONNECTED → DISCONNECTED is made. The default value is 90 seconds. -
vpn.reconnect.wait.sec- system wait interval after receipt of a VPN CONNECTED event before a transition from DISCONNECTED → CONNECTED is made. The default value is 45 seconds.
Radius Authentication
The image below represents an example of the first two attributes listed below (radius authentication for both Operator and Enterprise).
-
vco.operator.authentication.radius -
vco.enterprise.authentication.radius
-
vco.enterprise.authentication.mode -
vco.operator.authentication.mode
Self-service Password Reset
- Enterprise:
-
vco.enterprise.resetPassword.token.expirySeconds- For Enterprise users who will initiate the reset of their own password: After a self-service password reset link is emailed to a user, this property represents the length of time the self-service password reset link will be valid. After the length of time has passed, the link will expire. -
vco.enterprise.selfResetPassword.token.expirySeconds- For Operators or Customer Admins who initiate the reset of an Enterprise user's password: After a self-service password reset link is emailed to a user, this property represents the length of time the self-service password reset link will be valid. After the length of time has passed, the link will expire. -
vco.enterprise.resetPassword.twoFactor.mode- The second factor password reset authentication mode for all Enterprise users. Currently, the only option is SMS. -
vco.enterprise.resetPassword.twoFactor.required- For Enterprise, the require/not required two factor authentication for password reset. -
vco.enterprise.selfResetPassword.enabled- For Enterprise, the activate/deactivate self-service password reset.
-
- Operator:
-
vco.operator.selfResetPassword.enabled- For Operators, the activate/deactivate self service password reset. -
vco.operator.selfResetPassword.token.expirySeconds- After a self-service password reset link is emailed to a user, this property represents the length of time the self-service password reset link will be valid. After the length of time has passed, the link will expire. -
vco.operator.selfResetPassword.twoFactor.required- Operator require/ not required two factor authentication for self service password reset.
-
Two-factor Authentication
-
vco.enterprise.authentication.twoFactor.enable- Enterprise activate/deactivate for second factor authentication. -
vco.enterprise.authentication.twoFactor.mode- Second factor authentication mode for all enterprise users. Presently, the only option is SMS. -
vco.enterprise.authentication.twoFactor.require- Second factor authentication required for all Enterprise Users. -
vco.operator.authentication.twoFactor.enable- Operator activate/deactivate for second factor authentication. -
vco.operator.authentication.twoFactor.mode- Second factor authentication mode for all operator users. Presently, the only option is SMS. -
vco.operator.authentication.twoFactor.require- Second factor authentication required for all Operators.
When the required property is set to false (the default):
- Only enforce two factor authentication on users with mobile phone numbers.
- Allow a super user to deactivate two factor authentication temporarily for a specific user.
- When users don't have mobile phone numbers, bypass the two factor authentication screen altogether.
When the required property is set to true:
- Enforce two factor authentication on all users by default there for locking out users that do not have mobile phone numbers.
- Allow a super user to deactivate two factor authentication temporarily for a specific user.
- Mobile phones should be required when creating users impacted by two factor authentication.
User Agreements
session.options.enableUserAgreements - Enables the end user service or license agreement functionality.
vco.enterprise.userAgreement.display.mode - Displays the end user service or license agreement to the superusers specified in the Value text field. Set the Value text field to one of the following, “NONE,” “ALL,” “WITH_MSPS,” “WITHOUT_MSPS.” The default value is set to “NONE.” The “ALL” value includes Enterprise Superusers and Partner Superusers.
Edge License
session.options.enableEdgeLicensing- Enables Edge the licensing feature Orchestrator-wide.
Segmentation
enterprise.capability.enableSegmentation- Activate or deactivate the segmentation capability for enterprise. When the value is set to true, a default Profile (Initial Segmented Operator Profile) will be created in the Operator Profiles area. When the value is set to false, a default Profile (Initial Operator Profile) will be created in the Operator Profiles area.
Edge Link Event
-
vco.operator.alert.edgeLinkEvent.enable- Global activate/deactivate operator alert for edge link event. Default value : True
Edge Liveness Event
-
vco.operator.alert.edgeLiveness.enable- Global activate/deactivate operator alert for edge liveness event. Default value: True
Deactivate Creating New Customers
session.options.disableCreateEnterpriseOperator Superusers can deactivate the ability to create a new customer by setting this system property to true. (One of the most common reasons to use this system property is if the VCO is reaching its usage capacity). When this system property is set to true, Operator Superusers, Standard Operators, and Business Specialists Operators will not be able to create a new customer from the VCO API or the VCO UI. Default value: Falsesession.options.disableCreateEnterpriseProxyOperator Superusers can deactivate the ability for partners to create a new customer. (One of the most common reasons to use this system property is if the VCO is reaching its usage capacity). When this system property is set to true, Partner Superusers and Partner Standard Admins will not be able to create a new customer from the VCO API or the VCO UI. Default value: False (NOTE: Setting this system property to true, will not prevent Partner Superusers from creating Partner Admins).
Deactivate Creating New Partners
session.options.disableCreateEnterpriseProxyOperator Superusers can deactivate the ability to create new partners. (One of the most common reasons to use this system property is if the VCO is reaching its usage capacity). When this property is set to true, Operator Superusers, Standard Operators, and Business Specialists will not be able to create a new Partner from the VCO API or the VCO UI. Default value: False (NOTE: Setting this system property to true, will not prevent Partners from creating Partner Admins).
