Tenant Settings & Features
Each tenant has configurable settings that control its capabilities, resource limits, and operational status.
Feature Flags
Feature flags allow you to toggle specific platform capabilities on a per-tenant basis. This is useful for licensing, staged rollouts, or restricting features to specific customers.
Available Feature Flags
Suricata IDS/IPS
Controls whether intrusion detection and prevention is available for the tenant's edges.
- Enabled (default): Suricata configuration is included in the edge batch config. Edges run Suricata for traffic inspection, and the UI displays IDS/IPS dashboards and alert panels.
- Disabled: Suricata configuration is excluded from the edge batch config. The UI displays a "Feature Disabled" banner on Suricata-related pages. Sidebar menu items show a lock icon.
WireGuard IoT Gateway
Controls whether the IoT WireGuard gateway (wg0) is available for the tenant's edges.
- Enabled (default): The wg0 IoT gateway section is included in the edge batch config. Edges accept IoT device connections via WireGuard.
- Disabled: The wg0 IoT gateway section is excluded from the batch config. The UI displays a "Feature Disabled" banner on IoT gateway pages.
Default Behavior
Both features are enabled by default unless explicitly disabled. If no feature flag row exists for a tenant, the feature is treated as enabled.
Feature flag changes take effect on the next config sync to edges. Existing running services are not immediately stopped — the change is applied when the edge receives its next batch configuration.
Disabling a feature does not remove existing configuration from edges. It prevents new configuration from being pushed. If you need to actively remove a running service, you must decommission it separately on the edge.
Toggling Feature Flags
- Navigate to Tenants and select the target tenant
- Open the Settings tab
- Toggle the desired feature flag on or off
- Click Save
The change is recorded immediately. Edges will pick up the updated configuration on their next sync cycle.
Quotas
Resource quotas set upper limits on what a tenant can provision:
| Quota | Description |
|---|---|
| Max Devices | Maximum number of edge devices the tenant can register |
| Max Users | Maximum number of VPN users the tenant can invite |
When a quota is reached, the tenant will be unable to add new resources of that type until existing ones are removed or the quota is increased.
Tenant Status
Each tenant has a status that controls its operational state:
| Status | Description |
|---|---|
| Active | Tenant is fully operational. Users can log in, edges sync configuration. |
| Suspended | Tenant is temporarily restricted. Edges continue running with their last config, but no new changes can be pushed. Users cannot log in. |
| Disabled | Tenant is fully deactivated. All operations are blocked. |
Suspending or disabling a tenant does not shut down edge devices. Edges continue operating with their last-known configuration. To fully decommission a tenant's edges, you must do so explicitly.