As an Operator, you can add or modify the values of the system properties.
The following tables describe some of the system properties. As an Operator, you can set the values for these properties.
- Alert Emails
- Alerts
- Bastion Orchestrator Configuration
- Certificate Authority
- Customer Configuration
- Data Retention
- Edges
- Edge Activation
- Edge Activation
- Enhanced Firewall Services
- LAN-Side NAT Rules
- Monitoring
- Notifications
- Password Reset and Lockout
- Rate Limiting APIs
- Remote Diagnostics
- Security Service Edge (SSE)
- Segmentation
- Self-service Password Reset
- Syslog Forwarding
- TACACS Services
- Two-factor Authentication
- Tunnel Parameters for Edges
- VNF Configuration
- VPN
- Warning Banner
- Zscaler
System Property | Description |
---|---|
vco.alert.mail.to | When an alert is triggered, a notification is sent immediately to the list of Email addresses provided in the Value field of this system property. You can enter multiple Email IDs separated by commas. If the property does not contain any value, then the notification is not sent. The notification is meant to alert VMware support / operations personnel of impending issues before notifying the customer. |
vco.alert.mail.cc | When alert emails are sent to any customer, a copy is sent to the Email addresses provided in the Value field of this system property. You can enter multiple Email IDs separated by commas. |
mail.* | There are multiple system properties available to control the Alert Emails. You can define the Email parameters like SMTP properties, username, password, and so on. |
System Property | Description |
---|---|
vco.alert.enable | Globally activates or deactivates the generation of alerts for both Operators and Enterprise customers. |
vco.enterprise.alert.enable | Globally activates or deactivates the generation of alerts for Enterprise customers. |
vco.operator.alert.enable | Globally activates or deactivates the generation of alerts for Operators. |
System Property | Description |
---|---|
session.options.enableBastionOrchestrator | Enables the Bastion Orchestrator feature. For more information, see Bastion Orchestrator Configuration Guide available at https://docs.vmware.com/en/VMware-SD-WAN/index.html. |
vco.bastion.private.enable | Enables the Orchestrator to be the Private Orchestrator of the Bastion pair. |
vco.bastion.public.enable | Enables the Orchestrator to be the Public Orchestrator of the Bastion pair. |
System Property | Description |
---|---|
edge.certificate.renewal.window | This optional system property allows the Operator to define one or more maintenance windows during which the Edge certificate renewal is enabled. Certificates scheduled for renewal outside of the windows will be deferred until the current time falls within one of the enabled windows. Enable System Property: To enable this system property, type "true" for "enabled" in the first part of the Value text area in the Modify System Property dialog box. An example of the first part of this system property when it is enabled is shown below. Operators can define multiple windows to restrict the days and hours of the day during which Edge renewals are enabled. Each window can be defined by a day, or a list of days (separated by a comma), and a start and end time. Start and end times can be specified relative to an Edge's local time zone, or relative to UTC. See image below for an example.
Note: If attributes are not present, the default is enabled "false."
When defining window attributes, adhere to the following:
If the above-mentioned values are missing, the attribute defaults in each window definition are as follow:
Deactivate System Property: This system property is deactivated by default, which means the certificate will automatically renew after it expires. "Enabled" will be set to "false in the first part of the Value text area in the Modify System Property dialog box. An example of this property when it is deactivated is shown below. { "enabled": false, "windows": [ { NOTE: This system property requires that PKI be enabled. |
gateway.certificate.renewal.window | This optional system property allows the Operator to define one or more maintenance windows during which the Gateway certificate renewal is enabled. Certificates scheduled for renewal outside of the windows will be deferred until the current time falls within one of the enabled windows. Enable System Property: To enable this system property, type "true" for "enabled" in the first part of the Value text area in the Modify System Property dialog box. See image below for an example. Operators can define multiple windows to restrict the days and hours of the day during which edge renewals are enabled. Each window can be defined by a day, or list of days (separated by a comma), and a start and end time. Start and end times can be specified relative to an edge's local timezone, or relative to UTC. See image below for an example.
Note: If attributes are not present, the default is enabled "false."
When defining window attributes, adhere to the following:
If the above-mentioned values are missing, the attribute defaults in each window definition are as follow:
Deactivate System Property: This system property is deactivated by default, which means the certificate will automatically renew after it expires. "Enabled" will be set to "false in the first part of the Value text area in the Modify System Property dialog box. An example of this property when it is deactivated is shown below. { "enabled": false, "windows": [ {
Note: This system property requires that PKI be enabled.
|
System Property | Description |
---|---|
session.options.enableServiceLicenses | This system property allows Operator users to manage Service Configuration under True, by default. | , and is set to
System Property | Description |
---|---|
retention.highResFlows.days | This system property enables Operators to configure high resolution flow stats data retention anywhere between 1 and 90 days. |
retention.lowResFlows.months | This system property enables Operators to configure low resolution flow stats data retention anywhere between 1 and 365 days. |
session.options.maxFlowstatsRetentionDays | This property enables Operators to query more than two weeks of flows stats data. |
retentionWeeks.enterpriseEvents | Enterprise events retention period (-1 sets retention to the maximum time period allowed) |
retentionWeeks.operatorEvents | Operator events retention period (-1 sets retention to the maximum time period allowed) |
retentionWeeks.proxyEvents | Proxy events retention period (-1 sets retention to the maximum time period allowed) |
retentionWeeks.firewallLogs | Firewall logs retention period (-1 sets retention to the maximum time period allowed) |
retention.linkstats.days | Link stats retention period (-1 sets retention to the maximum time period allowed) |
retention.linkquality.days | Link quality events retention period (-1 sets retention to the maximum time period allowed) |
retention.healthstats.days | Edge health stats retention period (-1 sets retention to the maximum time period allowed) |
retention.pathstats.days | Path stats retention period (-1 sets retention to the maximum time period allowed) |
SD-WAN Data | Date Retention Period |
---|---|
Enterprise Events | 1 year |
Enterprise Alerts | 1 year |
Operator Events | 1 year |
Enterprise Proxy Events | 1 year |
Link Stats | 1 year |
Link QoE | 1 year |
Path Stats | 2 weeks |
Flow Stats (Low Resolution) | 1 year – 1 hour rollup |
Flow Stats (High Resolution) | 2 weeks – 5 minute rollup |
Edge Health Stats | 1 year |
System Property | Description |
---|---|
edge.offline.limit.sec | If the Orchestrator does not detect a heartbeat from an Edge for the specified duration, then the state of the Edge is moved to OFFLINE mode. |
edge.link.unstable.limit.sec | When the Orchestrator does not receive link statistics for a link for the specified duration, the link is moved to UNSTABLE mode. |
edge.link.disconnected.limit.sec | When the Orchestrator does not receive link statistics for a link for the specified duration, the link is disconnected. |
edge.deadbeat.limit.days | If an Edge is not active for the specified number of days, then the Edge is not considered for generating Alerts. |
vco.operator.alert.edgeLinkEvent.enable | Globally activates or deactivates Operator Alerts for Edge Link events. |
vco.operator.alert.edgeLiveness.enable | Globally activates or deactivates Operator Alerts for Edge Liveness events. |
System Property | Description |
---|---|
edge.activation.key.encode.enable | Base64 encodes the activation URL parameters to obscure values when the Edge Activation Email is sent to the Site Contact. |
edge.activation.trustedIssuerReset.enable | Resets the trusted certificate issuer list of the Edge to contain only the Orchestrator Certificate Authority. All TLS traffic from the edge are restricted by the new issuer list. |
network.public.certificate.issuer | Set the value of network.public.certificate.issuer equal to the PEM encoding of the issuer of Orchestrator server certificate, when edge.activation.trustedIssuerReset.enable is set to True. This will add the server certificate issuer to the trusted issuer of the Edge, in addition to the Orchestrator Certificate Authority. |
System Property | Description |
---|---|
edge.link.show.limit.sec | Allows to set the Edge Link Down Limit value for each Edge. |
System Property | Description |
---|---|
ntics.public address | Specifies the hostname that is used to access the NSX Threat Intelligent Cloud Service (NTICS). |
gsm.public.address | Specifies the Public address of Global Services Manager (GSM). |
gsm.authentication.key | Specifies the mTLS key to authenticate with GSM. |
gsm.authentication.cert | Specifies the mTLS certificate to authenticate with GSM. |
gsm.authentication.passphrase | Specifies the mTLS passphrase to authenticate with GSM. |
System Property | Description |
---|---|
session.options.enableLansidePortRules | Allows to configure the parameters Inside Port and Outside Port under for an Edge or Profile. |
System Property | Description |
---|---|
vco.monitor.enable | Globally activates or deactivates monitoring of Enterprise and Operator entity states. Setting the Value to False prevents SASE Orchestrator from changing entity states and triggering alerts. |
vco.enterprise.monitor.enable | Globally activates or deactivates monitoring of Enterprise entity states. |
vco.operator.monitor.enable | Globally activates or deactivates monitoring of Operator entity states. |
System Property | Description |
---|---|
vco.notification.enable | Globally activates or deactivates the delivery of Alert notifications to both Operator and Enterprises. |
vco.enterprise.notification.enable | Globally activates or deactivates the delivery of Alert notifications to the Enterprises. |
vco.operator.notification.enable | Globally activates or deactivates the delivery of Alert notifications to the Operator. |
System Property | Description |
---|---|
vco.enterprise.resetPassword.token.expirySeconds | Duration of time, after which the password reset link for an enterprise user expires. |
vco.enterprise.authentication.passwordPolicy | Defines the password strength, history, and expiration policy for customer users. Edit the JSON template in the Value field to define the following: strength
Since the new password only varies by 3 characters from the old, “sitting” would be rejected as a new password to replace “kitten”. The default value of -1 signifies that this feature is not enabled.
expiry:
history:
|
enterprise.user.lockout.defaultAttempts | Number of times the enterprise user can attempt to login. If the login fails for the specified number of times, the account is locked. |
enterprise.user.lockout.defaultDurationSeconds | Duration of time, in seconds, in which the Enterprise user account is locked. For example, if set to 300, the Enterprise user account will get locked if four incorrect login attempts are made within 300 seconds. If set to 60, the Enterprise user account will get locked if four incorrect attempts are made within one minute.
Note: The number of attempts is configurable via the
enterprise.user.lockout.defaultAttempts system property.
|
enterprise.user.lockout.enabled | Activates or deactivates the lockout option for the enterprise login failures. |
vco.operator.resetPassword.token.expirySeconds | Duration of time, after which the password reset link for an Operator user expires. |
vco.operator.authentication.passwordPolicy | Defines the password strength, history, and expiration policy for Operator users. Edit the JSON template in the Value field to define the following: strength
Since the new password only varies by 3 characters from the old, “sitting” would be rejected as a new password to replace “kitten”. The default value of -1 signifies that this feature is not enabled.
expiry:
history:
|
operator.user.lockout.defaultAttempts | Number of times the Operator user can attempt to login. If the login fails for the specified number of times, the account is locked. |
operator.user.lockout.defaultDurationSeconds | Duration of time, in seconds, in which an Operator user account is locked. For example, if set to 300, the Operator user account will get locked if four incorrect login attempts are made within 300 seconds. If set to 60, the Operator user account will get locked if four incorrect attempts are made within one minute.
Note: The number of attempts is configurable via the
operator.user.lockout.defaultAttempts system property.
|
operator.user.lockout.enabled | Activates or deactivates the lockout option for the Operator login failures. |
System Property | Description |
---|---|
vco.api.rateLimit.enabled | Allows Operator Super users activate or deactivate the rate limiting feature at the system level. By default, the value is False.
Note: The rate-limiter is not enabled in earnest, that is, it will not reject API requests that exceed the configured limits, unless the
vco.api.rateLimit.mode.logOnly setting is deactivated.
|
vco.api.rateLimit.mode.logOnly | Allows Operator Super user to use rate limit in a LOG_ONLY mode. When the value is set as True and if a rate limit exceeds, this option logs only the error and fires respective metrics allowing clients to make requests without rate limiting. When the value is set to False, the request API is restricted with defined policies and HTTP 429 is returned. |
vco.api.rateLimit.rules.global | Allows to define a set of globally applicable policies used by the rate-limiter, in a JSON array. By default, the value is an empty array. Each type of user (Operator, Partner, and Customer) can make up to 500 requests for every 5 seconds. The number of requests is subject to change based on the behavior pattern of the rate limited requests. The JSON array consists of the following parameters:
Types: The type objects represent different contexts in which the rate limits are applied. The following are the different type objects that are available:
Policies: Add rules to the policies to apply the requests that match the rule, by configuring the following parameters:
Enabled: Each type limit can be activated or deactivated by including the enabled key in APIRateLimiterTypeObject. By default, the value of enabled is True, even if the key is not included. You need to include "enabled": false key to deactivate the individual type limits. The following example shows a sample JSON file with default values: [ { "type": "OPERATOR_USER", "policies": [ { "match": { "type": "ALL" }, "rules": { "reservoir": 500, "reservoirRefreshAmount": 500, "reservoirRefreshInterval": 5000 } } ] }, { "type": "MSP_USER", "policies": [ { "match": { "type": "ALL" }, "rules": { "reservoir": 500, "reservoirRefreshAmount": 500, "reservoirRefreshInterval": 5000 } } ] }, { "type": "ENTERPRISE_USER", "policies": [ { "match": { "type": "ALL" }, "rules": { "reservoir": 500, "reservoirRefreshAmount": 500, "reservoirRefreshInterval": 5000 } } ] } ]
Note: It is recommended not to change the default values of the configuration parameters.
|
vco.api.rateLimit.rules.enterprise.default | Comprises the default set of Enterprise-specific policies applied to newly created Customers. The Customer-specific properties are stored in the Enterprise property vco.api.rateLimit.rules.enterprise. |
vco.api.rateLimit.rules.enterpriseProxy.default | Comprises the default set of Enterprise-specific policies applied to newly created Partners. The Partner-specific properties are stored in the Enterprise proxy property vco.api.rateLimit.rules.enterpriseProxy. |
For more information on Rate limiting, see Rate Limiting API Requests.
System Property | Description |
---|---|
network.public.address | Specifies the browser origin address/DNS hostname that is used to access the SASE Orchestrator UI. |
network.portal.websocket.address | Allows to set an alternate DNS hostname/address to access the SASE Orchestrator UI from a browser, if the browser address is not the same as the value of network.public.address system property. As remote diagnostics now uses a WebSocket connection, to ensure web security, the browser origin address that is used to access the Orchestrator UI is validated for incoming requests. In most cases, this address is same as the |
session.options.websocket.portal.idle.timeout | Allows to set the total amount of time (in seconds) the browser WebSocket connection is active in an idle state. By default, the browser WebSocket connection is active for 300 seconds in an idle state. |
System Property | Description |
---|---|
session.options.enableSseService | Activates or deactivates the Security Service Edge (SSE) feature for Enterprise users. |
System Property | Description |
---|---|
enterprise.capability.enableSegmentation | Activates or deactivates the segmentation capability for Enterprise users. |
enterprise.segments.system.maximum | Specifies the maximum number of segments allowed for any Enterprise user. Ensure that you change the value of this system property to 128 if you want to enable 128 segments on SASE Orchestrator for an Enterprise user. |
enterprise.segments.maximum | Specifies the default value for the maximum number of segments allowed for a new or existing Enterprise user. The default value for any Enterprise user is 16.
Note: This value must be less than or equal to the number defined in the system property, enterprise.segments.system.maximum.
It is not recommended for you to change the value of this system property if you want to enable 128 segments for an Enterprise user. Instead, you can enable Customer Capabilities in the Customer Configuration page to configure the required number of segments. For instructions, refer to the "Configure Customer Capabilities" section in the VMware SD-WAN Operator Guide available at VMware SD-WAN Documentation. |
enterprise.subinterfaces.maximum | Specifies the maximum number of sub-interfaces that can be configured for an Enterprise user. The default value is 32. |
enterprise.vlans.maximum | Specifies the maximum number of VLANs that can be configured for an Enterprise user. The default value is 32. |
session.options.enableAsyncAPI | When the segment scale is increased to 128 segments for any Enterprise user, to prevent UI timeouts, you can enable Async APIs support on the UI by using this system property. The default value is true. |
session.options.asyncPollingMilliSeconds | Specifies the Polling interval for Async APIs on the UI. The default vaue is 5000 milliseconds. |
session.options.asyncPollingMaxCount | Specifies the maximum number of calls to getStatus API from the UI. The default value is 10. |
vco.enterprise.events.configuration.diff.enable | Activates or deactivates configuration diff event logging. Whenever the number of segments for an Enterprise user is greater than 4, the configuration diff event logging will be deactivated. You can enable configuration diff event logging using this system property. |
System Property | Description |
---|---|
vco.enterprise.resetPassword.twoFactor.mode | Defines the mode for the second level for password reset authentication, for all the Enterprise users. Currently, only the SMS mode is supported. |
vco.enterprise.resetPassword.twoFactor.required | Activates or deactivates the two-factor authentication for password reset of Enterprise users. |
vco.enterprise.selfResetPassword.enabled | Activates or deactivates self-service password reset for Enterprise users. |
vco.enterprise.selfResetPassword.token.expirySeconds | Duration of time, after which the self-service password reset link for an Enterprise user expires. |
vco.operator.resetPassword.twoFactor.required | Activates or deactivates the two-factor authentication for password reset of Operator users. |
vco.operator.selfResetPassword.enabled | Activates or deactivates self-service password reset for Operator users. |
vco.operator.selfResetPassword.token.expirySeconds | Duration of time, after which the self-service password reset link for an Operator user expires. |
System Property | Description |
---|---|
log.syslog.backend | Backend service syslog integration configuration. |
log.syslog.portal | Portal service syslog integration configuration. |
log.syslog.upload | Upload service syslog integration configuration. |
log.syslog.lastFetchedCRL.backend | Keeps the last updated CRL as PEM formatted string for service syslog and updated regularly. |
log.syslog.lastFetchedCRL.portal | Keeps the last updated CRL as PEM formatted string for service syslog and updated regularly. |
log.syslog.lastFetchedCRL.upload | Keeps the last updated CRL as PEM formated string for service syslog and updated regularly. |
System Property | Description |
---|---|
session.options.enableTACACS | Activates or deactivates the TACACS services for Enterprise users. |
System Property | Description |
---|---|
vco.enterprise.authentication.twoFactor.enable | Activates or deactivates the two-factor authentication for Enterprise users. |
vco.enterprise.authentication.twoFactor.mode | Defines the mode for the second level authentication for Enterprise users. Currently, only SMS is supported as the second level authentication mode. |
vco.enterprise.authentication.twoFactor.require | Defines the two-factor authentication as mandatory for Enterprise users. |
vco.operator.authentication.twoFactor.enable | Activates or deactivates the two-factor authentication for Operator users. |
vco.operator.authentication.twoFactor.mode | Defines the mode for the second level authentication for Operator users. Currently, only SMS is supported as the second level authentication mode. |
vco.operator.authentication.twoFactor.require | Defines the two-factor authentication as mandatory for Operator users. |
System Property | Description |
---|---|
session.options.enableNsdPkiIPv6Config | Activates Certificate Authentication mode and IPv6 Local Identification Type. |
System Property | Description |
---|---|
edge.vnf.extraImageInfos | Defines the properties of a VNF Image.
You can enter the following information for a VNF Image, in JSON format in the
Value field:
[ { "vendor": "Vendor Name", "version": "VNF Image Version", "checksum": "VNF Checksum Value", "checksumType": "VNF Checksum Type" } ]
Example of JSON file for Check Point Firewall Image:
[ { "vendor": "checkPoint", "version": "r80.40_no_workaround_46", "checksum": "bc9b06376cdbf210cad8202d728f1602b79cfd7d", "checksumType": "sha-1" } ]
Example os JSON file for Fortinet Firewall Image:
[ { "vendor": "fortinet", "version": "624", "checksum": "6d9e2939b8a4a02de499528c745d76bf75f9821f", "checksumType": "sha-1" } ] |
edge.vnf.metric.record.limit | Defines the number of records to be stored in the database. |
enterprise.capability.edgeVnfs.enable | Allows VNF deployment on supported Edge models. |
enterprise.capability.edgeVnfs.securityVnf.checkPoint | Activates Check Point Networks Firewall VNF. |
enterprise.capability.edgeVnfs.securityVnf.fortinet | Activates Fortinet Networks Firewall VNF. |
enterprise.capability.edgeVnfs.securityVnf.paloAlto | Activates Palo Alto Networks Firewall VNF. |
session.options.enableVnf | Activates VNF feature. |
vco.operator.alert.edgeVnfEvent.enable | Activates or deactivates Operator alerts for Edge VNF events globally. |
vco.operator.alert.edgeVnfInsertionEvent.enable | Activates or deactivates Operator alerts for Edge VNF Insertion events globally. |
edge.vnf.extraImageInfos. | Allows selection of the Check Point VNF image. |
System Property | Description |
---|---|
vpn.disconnect.wait.sec | The time interval for the system to wait before disconnecting a VPN tunnel. |
vpn.reconnect.wait.sec | The time interval for the system to wait before reconnecting a VPN tunnel. |
System Property | Description |
---|---|
login.warning.banner.message | This optional system property allows the Operator to configure and display a Security Administrator-specified advisory notice and consent warning message regarding the use of SASE Orchestrator. The warning message is displayed in the SASE Orchestrator prior to user login. For instructions about how to configure this system property, see Configure Advisory Notice and Consent Warning Message for SD-WAN Orchestrator. |
System Property | Description |
---|---|
session.options.enableZscalerProfileAutomation | Enables to configure Zscaler settings at the Profile level. |