Analytics functionality is built natively into the VMware SD-WAN Edge for collecting data inline. However, by default, Analytics is deactivated for Edges. Enterprise Administrators can create Analytics Edges only when the Analytics functionality is activated.

To create a new SD-WAN Edge with Analytics, perform the following steps:


  • Ensure that all the necessary system properties to activate Analytics are properly set in the SASE Orchestrator. For more information, see the topic Activate VMware Edge Intelligence on a VMware SASE Orchestrator, in the VMware SD-WAN Operator Guide, available at
  • Ensure that the Analytics functionality is activated for the Customer before provisioning an Analytics Edge.
  • The SASE Orchestrator must be on and the SD-WAN Edges must be running a minimum of 4.3.1 code. You can review the software image installed on each edge by navigating to Configure > Edges. The table on the Edges page will have a column that displays Software version of Edge per customer.
  • If the Edge is using the 4.2 release, ensure the Edge has a LAN interface that is up and advertised or use the special MGMT-IP software build, otherwise the Edge will not be able to send metrics to the EI backend.


  1. In the SD-WAN service of the Enterprise portal, click Configure > Edges.
  2. In the Edges screen, click Add Edge.
    The Provision an Edge screen appears.
  3. You can configure the following options:
    Option Description
    Mode Select a mode:
    • SD-WAN Edge: Allows monitoring, diagnostics, and configuration capabilities, including fault isolation and application specific analytics that can alert you when an incident occurs on your Edge.
    • SD-WAN Edge with Analytics Enabled: Allows access to all the analytics for the Edge as well as full suite of branch analytic features.
    • Analytics Only Edge: Allows monitoring the health, performance, and security of your LAN along with troubleshooting the problems.
      Note: You must delete the Edge and reconfigure it in order to change it back to an SD-WAN Edge.
    Name Enter a unique name for the Edge.
    Model Select an Edge model from the drop-down menu.
    Profile Select a Profile to be assigned to the Edge, from the drop-down menu.
    Note: If an Edge Staging Profile is displayed as an option due to Edge Auto-activation, it indicates that this Profile is used by a newly assigned Edge, but has not been configured with a production Profile.
    Edge License Select an Edge license from the drop-down menu. The list displays the licenses assigned to the Enterprise, by the Operator.

    Choose the mode of authentication from the drop-down menu:

    • Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
      Warning: This mode is not recommended for any customer deployments.
    • Certificate Acquire: This mode is selected by default and is recommended for all customer deployments. With Certificate Aquire mode, certificates are issued at the time of Edge activation and renewed automatically. The Orchestrator instructs the Edge to acquire a certificate from the certificate authority of the SASE Orchestrator by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the SASE Orchestrator and for establishment of VCMP tunnels.
      Note: After acquiring the certificate, the option can be updated to Certificate Required, if needed.
    • Certificate Required: This mode is only appropriate for customer enterprises that are "static". A static enterprise is defined as one where no more than a few new Edges are likely to be deployed and no new PKI oriented changes are anticipated.
      Important: Certificate Required has no security advantages over Certificate Acquire. Both modes are equally secure and a customer using Certificate Required should do so only for the reasons outlined in this section.
      Certificate Required mode means that no Edge heartbeats are accepted without a valid certificate.
      Caution: Using this mode can cause Edge failures in cases where a customer is unaware of this strict enforcement.
      With this mode, the Edge uses the PKI certificate. Operators can change the certificate renewal time window for Edges by editing the Orchestrator's System Properties. For more information, contact your Operator.
    • With the Bastion Orchestrator feature enabled, the Edges that are to be staged to Bastion Orchestrator should have the authentication mode set to either Certificate Acquire or Certificate Required.
    • When an Edge certificate is revoked, the Edge is deactivated and needs to go through the activation process. The current QuickSec design checks certificate revocation list (CRL) time validity. The CRL time validity must match the current time of Edges for the CRL to have impact on new established connection. To implement this, ensure the Orchestrator time is updated properly to match with the date and time of the Edges.
    Encrypt Device Secrets Select the Enable check box to allow the Edge to encrypt sensitive data across all platforms. This option is also available on the Configure > Edges > Overview page, of the Enterprise SD-WAN service.
    Note: For Edge versions 5.2.0 and above, before you deactivate this option, you must first deactivate the Edge using remote actions. This causes restart of the Edge.
    High Availability Select the Enable check box to apply High Availability (HA). Edges can be installed as a single standalone device or paired with another Edge to provide High Availability (HA) support.
    Local Contact Name Enter the name of the site contact for the Edge.
    Local Contact Email Enter the email address of the site contact for the Edge.
  4. Enter all the required details and click Next to configure the following additional options:
    Note: The Next button is activated only when you enter all the required details.
    Option Description
    Serial Number Enter the serial number of the Edge. If specified, the Edge must display this serial number on activation.
    Note: When deploying virtual VMware SD-WAN Edges on AWS Edges, make sure to use the instance ID as the serial number for the Edge.
    Description Enter an appropriate description.
    Location Click the Set Location link to set the location of the Edge. If not specified, the location is auto-detected from the IP address when the Edge is activated.
  5. Click Add Edge.
    An Analytic Edge is provisioned for the selected Customer. Once the Edge is provisioned, the Analytics functionality collects data, performs deep packet inspection of all traffic, identifies network application and correlates traffic with user information.

What to do next

To send the collected analytics data to the Cloud Analytics Engine, you must configure an Analytics interface on which the Edge transmits Analytics data.