Mode |
Select a mode:
|
Name |
Enter a unique name for the Edge. |
Model |
Select an Edge model from the drop-down menu. |
Profile |
Select a Profile to be assigned to the Edge, from the drop-down menu. For information on how to create a new Profile, see Create Profile.
Note: If an
Edge Staging Profile is displayed as an option due to Edge Auto-activation, it indicates that this Profile is used by a newly assigned Edge, but has not been configured with a production Profile.
|
Edge License |
Select an Edge license from the drop-down menu. The list displays the licenses assigned to the Enterprise, by the Operator. |
Authentication |
Choose the mode of authentication from the drop-down menu:
- Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
Warning: This mode is not recommended for any customer deployments.
- Certificate Acquire: This mode is selected by default and is recommended for all customer deployments. With Certificate Aquire mode, certificates are issued at the time of Edge activation and renewed automatically. The Orchestrator instructs the Edge to acquire a certificate from the certificate authority of the SASE Orchestrator by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the SASE Orchestrator and for establishment of VCMP tunnels.
Note: After acquiring the certificate, the option can be updated to
Certificate Required, if needed.
- Certificate Required: This mode is only appropriate for customer enterprises that are "static". A static enterprise is defined as one where no more than a few new Edges are likely to be deployed and no new PKI oriented changes are anticipated.
Important:
Certificate Required has no security advantages over
Certificate Acquire. Both modes are equally secure and a customer using
Certificate Required should do so only for the reasons outlined in this section.
Certificate Required mode means that no Edge heartbeats are accepted without a valid certificate.
Caution: Using this mode can cause Edge failures in cases where a customer is unaware of this strict enforcement.
With this mode, the Edge uses the PKI certificate. Operators can change the certificate renewal time window for Edges by editing the Orchestrator's System Properties. For more information, contact your Operator.
Note:
- With the Bastion Orchestrator feature enabled, the Edges that are to be staged to Bastion Orchestrator should have the authentication mode set to either Certificate Acquire or Certificate Required.
- When an Edge certificate is revoked, the Edge is deactivated and needs to go through the activation process. The current QuickSec design checks certificate revocation list (CRL) time validity. The CRL time validity must match the current time of Edges for the CRL to have impact on new established connection. To implement this, ensure the Orchestrator time is updated properly to match with the date and time of the Edges.
|
Encrypt Device Secrets |
Select the Enable check box to allow the Edge to encrypt the sensitive data across all platforms. This option is also available on the Edge Overview page. For more information, see View Edge Information.
Note: For Edge versions 5.2.0 and above, before you deactivate this option, you must first deactivate the Edge using remote actions. This causes restart of the Edge.
|
High Availability |
Select the Enable check box to apply High Availability (HA). Edges can be installed as a single standalone device or paired with another Edge to provide High Availability (HA) support. For more information about HA, see the High Availability Deployment Models section. |
Local Contact Name |
Enter the name of the site contact for the Edge. |
Local Contact Email |
Enter the email address of the site contact for the Edge. |