{"slug":"deployment-checklist","title":"Deployment checklist","tags":["tailscale"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Deployment checklist\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nThere are a number of topics to consider for a successful and scalable Tailscale deployment beyond configuration of individual devices and [access controls](https://tailscale.com/docs/features/access-control). This topic details some of the less obvious, but still important, concerns for using and deploying Tailscale at scale. You can use this topic as your Tailscale deployment checklist.\r\n\r\n## [Support](https://tailscale.com/docs/reference/deployment-checklist\\#support)\r\n\r\n- **Internal support**—provide documentation to your users on how to get internal support within your organization. Refer to [end-user client configuration](https://tailscale.com/docs/reference/deployment-checklist#end-user-client-configuration) for ways to customize the Tailscale client to help with this.\r\n- **Tailscale support**—document how and when to [contact Tailscale support](https://tailscale.com/contact/support) in internal documentation. Also include relevant departments (for example, IT help desk or production operations teams) and instructions to ask end-users to generate a [bug report](https://tailscale.com/docs/account/bug-report) when reporting issues internally and share the bug report identifier when contacting Tailscale support.\r\n\r\n## [Stay up-to-date on Tailscale news](https://tailscale.com/docs/reference/deployment-checklist\\#stay-up-to-date-on-tailscale-news)\r\n\r\n- Subscribe to the Tailscale [newsletter](https://info.tailscale.com/tailscale-newsletter-sign-up) and [blog](https://tailscale.com/blog#blog-newsletter) to stay up-to-date on general Tailscale news. Use email addresses that go to a group of users rather than a single individual.\r\n- Subscribe to the Tailscale [changelog](https://tailscale.com/changelog) RSS feed to stay up-to-date on client and service changes.\r\n- Subscribe to the Tailscale [security bulletins](https://tailscale.com/security-bulletins) RSS feed to stay up-to-date on security notifications.\r\n\r\n### [Organization notifications](https://tailscale.com/docs/reference/deployment-checklist\\#organization-notifications)\r\n\r\n- Set [contact preferences](https://login.tailscale.com/admin/settings/contact-preferences) to receive email notifications regarding account, configuration, and security updates. Use email addresses that go to a group of users rather than a single individual.\r\n\r\n## [Production best practices](https://tailscale.com/docs/reference/deployment-checklist\\#production-best-practices)\r\n\r\n- Understand how Tailscale and customers [share security responsibilities](https://tailscale.com/docs/concepts/shared-responsibility).\r\n- Implement [production best practices](https://tailscale.com/docs/reference/best-practices/production) related to [security](https://tailscale.com/docs/reference/best-practices/security), [performance](https://tailscale.com/docs/reference/best-practices/performance), and specific providers.\r\n- Understand [direct vs relayed connections](https://tailscale.com/docs/reference/connection-types) and which [firewall ports to open](https://tailscale.com/docs/reference/faq/firewall-ports), if any, to get the best performance from in your environment.\r\n\r\n## [Tailnet management](https://tailscale.com/docs/reference/deployment-checklist\\#tailnet-management)\r\n\r\nThe following sections detail how to manage your Tailscale network (known as a tailnet) at scale.\r\n\r\n### [General settings](https://tailscale.com/docs/reference/deployment-checklist\\#general-settings)\r\n\r\n- Configure [tailnet](https://login.tailscale.com/admin/settings/general), [user management](https://login.tailscale.com/admin/settings/user-management), and [device management](https://login.tailscale.com/admin/settings/device-management) settings per your organization's needs and security policies.\r\n- Manage your tailnet settings (such as device approval and key duration, DNS settings, log streaming and posture integrations, and more) with [infrastructure-as-code](https://tailscale.com/docs/integration-infrastructure-as-code) and [GitOps](https://tailscale.com/docs/gitops) to have an audit trail of changes to Tailscale access controls and configuration in your version control system with peer review of changes.\r\n\r\n### [Tailnet policy file management](https://tailscale.com/docs/reference/deployment-checklist\\#tailnet-policy-file-management)\r\n\r\n- Manage your tailnet policy file (which includes access control policies, tags, and other settings) with [infrastructure-as-code](https://tailscale.com/docs/integration-infrastructure-as-code) and [GitOps](https://tailscale.com/docs/gitops). This provides an audit trail of changes to Tailscale access controls and configuration in your version control system with peer review of changes.\r\n- Review [common patterns for tag names](https://tailscale.com/docs/features/tags#common-patterns-for-tag-names) and implement consistent tags that represent access patterns and network segments for your devices.\r\n\r\n## [User management](https://tailscale.com/docs/reference/deployment-checklist\\#user-management)\r\n\r\nThe following sections detail how to manage users in your tailnet at scale, including user provisioning, role assignments, and authentication requirements.\r\n\r\n### [User and group provisioning](https://tailscale.com/docs/reference/deployment-checklist\\#user-and-group-provisioning)\r\n\r\n- Configure [System for Cross-domain Identity Management (SCIM)](https://tailscale.com/learn/what-is-scim) with a supported provider to enable automatic [user and group provisioning](https://tailscale.com/docs/features/user-group-provisioning).\r\n\r\n### [Tailscale-specific roles](https://tailscale.com/docs/reference/deployment-checklist\\#tailscale-specific-roles)\r\n\r\n- Transfer organization [ownership](https://tailscale.com/docs/reference/user-roles#owner) to an appropriate team member. Oftentimes, the person that created the tailnet is not who should be the owner long-term.\r\n- Assign appropriate [Tailscale-specific roles](https://tailscale.com/docs/reference/user-roles) to team members based on their job function and responsibilities. Network admin, IT admin, and billing admin are common roles to assign.\r\n\r\n## [Device management](https://tailscale.com/docs/reference/deployment-checklist\\#device-management)\r\n\r\n- Set a [custom authentication period](https://tailscale.com/docs/features/access-control/key-expiry#setting-a-custom-authentication-period) to require users to re-authenticate with your identity provider per your company's security policies.\r\n- Enable [device identity collection](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity) to accurately identify devices in your tailnet.\r\n- Set [default source posture rules](https://tailscale.com/docs/features/device-posture#default-source-posture) to require minimum operating system and Tailscale client versions.\r\n\r\n### [EDR and MDM integrations](https://tailscale.com/docs/reference/deployment-checklist\\#edr-and-mdm-integrations)\r\n\r\n- Configure Tailscale with your [EDR and MDM tool](https://tailscale.com/docs/features/device-posture#edr-and-mdm-integrations).\r\n- Define [device posture conditions](https://tailscale.com/docs/features/device-posture#device-posture-conditions) based on the node attributes available from your EDR and MDM tools.\r\n\r\n### [End-user client configuration](https://tailscale.com/docs/reference/deployment-checklist\\#end-user-client-configuration)\r\n\r\n- Deploy Tailscale client applications to end-users using a [mobile device management (MDM)](https://tailscale.com/docs/mdm) solution.\r\n- Enable [automatic client updates](https://tailscale.com/docs/features/client/update#auto-updates) for end-user devices to ensure employee devices stay up-to-date.\r\n- Configure end-user client applications using [system policies](https://tailscale.com/docs/features/tailscale-system-policies) through your MDM solution. Review the full list of system policies to determine which options are important to your organization. Some common system policies include:\r\n  - Force client behavior end-users will depend on:\r\n    - [`UseTailscaleDNSSettings`](https://tailscale.com/docs/features/tailscale-system-policies#set-whether-the-device-uses-tailscale-dns-settings) to always or never apply Tailscale DNS configuration when the tunnel is connected.\r\n    - [`UseTailscaleSubnets`](https://tailscale.com/docs/features/tailscale-system-policies#set-whether-the-device-accepts-tailscale-subnets) to always or never accept subnets advertised by other devices in your tailnet.\r\n    - [`PostureChecking`](https://tailscale.com/docs/features/tailscale-system-policies#enable-gathering-device-posture-data) to always or never gather device posture data.\r\n  - Hide unused capabilities in the client menu such as:\r\n    - [`AdminConsole`](https://tailscale.com/docs/features/tailscale-system-policies#hide-the-admin-console-menu-item) to show or hide the Tailscale admin console menu.\r\n    - [`HiddenNetworkDevices`](https://tailscale.com/docs/features/tailscale-system-policies#hide-network-devices) to show or hide one or more categories of devices in the **Network Devices** menu.\r\n    - [`ManageTailnetLock`](https://tailscale.com/docs/features/tailscale-system-policies#hide-the-tailnet-lock-settings) to show or hide the **Manage Tailnet Lock** menu.\r\n    - [`RunExitNode`](https://tailscale.com/docs/features/tailscale-system-policies#hide-the-exit-node-picker) to show or hide the **Run as Exit Node** menu.\r\n  - Provide information for how to get support from Tailscale administrators or your IT team:\r\n    - [`ManagedByCaption`](https://tailscale.com/docs/features/tailscale-system-policies#set-an-info-message) to specify a caption to be displayed in the **Managed By** section.\r\n    - [`ManagedByOrganizationName`](https://tailscale.com/docs/features/tailscale-system-policies#set-your-organization-name) to specify the name of the organization managing Tailscale, for instance \"XYZ Corp IT.\"\r\n    - [`ManagedByURL`](https://tailscale.com/docs/features/tailscale-system-policies#set-a-support-url) to specify a URL pointing to a help desk webpage or Slack channel.\r\n\r\n### [Server configuration](https://tailscale.com/docs/reference/deployment-checklist\\#server-configuration)\r\n\r\n- Automate server deployments using [infrastructure-as-code](https://tailscale.com/docs/integration-infrastructure-as-code) to provision devices in a repeatable manner less susceptible to human error.\r\n\r\n## [Monitoring](https://tailscale.com/docs/reference/deployment-checklist\\#monitoring)\r\n\r\n### [Client metrics](https://tailscale.com/docs/reference/deployment-checklist\\#client-metrics)\r\n\r\n- Collect [client metrics](https://tailscale.com/docs/reference/tailscale-client-metrics) for use with your monitoring system from your subnet routers, exit nodes, app connectors, and other important devices.\r\n\r\n### [Monitor tailnet changes](https://tailscale.com/docs/reference/deployment-checklist\\#monitor-tailnet-changes)\r\n\r\n- Configure [webhooks](https://tailscale.com/docs/features/webhooks) to receive important notifications to your central monitoring and alerting system—for example, your monitoring service or Slack. In particular, we recommend notifications for the following [event types](https://tailscale.com/docs/features/webhooks#events):\r\n  - Device misconfiguration: `exitNodeIPForwardingNotEnabled`\r\n  - Device misconfiguration: `subnetIPForwardingNotEnabled`\r\n  - Tailnet management: `nodeNeedsApproval`\r\n  - Tailnet management: `userNeedsApproval`\r\n  - Tailnet management: `userRoleUpdated`\r\n  - Webhook management: `webhookUpdated`\r\n  - Webhook management: `webhookDeleted`\r\n\r\n### [Log streaming](https://tailscale.com/docs/reference/deployment-checklist\\#log-streaming)\r\n\r\n- Configure [log streaming](https://tailscale.com/docs/features/logging/log-streaming) to stream configuration and network flow logs to your [Security Information and Event Management (SIEM)](https://tailscale.com/learn/security-information-and-event-management) system.\r\n\r\n- Configure data retention of logs in your SIEM per your company's security policies.\r\n\r\n- Configure alerts in your SIEM to notify you of noteworthy events. In particular, we recommend alerts for events related to settings changed through the Tailscale admin console:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```json\r\n// Other fields omitted for brevity\r\n{\r\n    \"action\": \"CREATE\",\r\n    \"origin\": \"ADMIN_CONSOLE\",\r\n    // ...\r\n},\r\n{\r\n    \"action\": \"UPDATE\",\r\n    \"origin\": \"ADMIN_CONSOLE\",\r\n    // ...\r\n},\r\n{\r\n    \"action\": \"DELETE\",\r\n    \"origin\": \"ADMIN_CONSOLE\",\r\n    // ...\r\n},\r\n```\r\n\r\n\r\n\r\n\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Deployment checklist</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>There are a number of topics to consider for a successful and scalable Tailscale deployment beyond configuration of individual devices and <a href=\"https://tailscale.com/docs/features/access-control\">access controls</a>. This topic details some of the less obvious, but still important, concerns for using and deploying Tailscale at scale. You can use this topic as your Tailscale deployment checklist.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/deployment-checklist#support\">Support</a></h2>\n<ul>\n<li><strong>Internal support</strong>—provide documentation to your users on how to get internal support within your organization. Refer to <a href=\"https://tailscale.com/docs/reference/deployment-checklist#end-user-client-configuration\">end-user client configuration</a> for ways to customize the Tailscale client to help with this.</li>\n<li><strong>Tailscale support</strong>—document how and when to <a href=\"https://tailscale.com/contact/support\">contact Tailscale support</a> in internal documentation. Also include relevant departments (for example, IT help desk or production operations teams) and instructions to ask end-users to generate a <a href=\"https://tailscale.com/docs/account/bug-report\">bug report</a> when reporting issues internally and share the bug report identifier when contacting Tailscale support.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/reference/deployment-checklist#stay-up-to-date-on-tailscale-news\">Stay up-to-date on Tailscale news</a></h2>\n<ul>\n<li>Subscribe to the Tailscale <a href=\"https://info.tailscale.com/tailscale-newsletter-sign-up\">newsletter</a> and <a href=\"https://tailscale.com/blog#blog-newsletter\">blog</a> to stay up-to-date on general Tailscale news. Use email addresses that go to a group of users rather than a single individual.</li>\n<li>Subscribe to the Tailscale <a href=\"https://tailscale.com/changelog\">changelog</a> RSS feed to stay up-to-date on client and service changes.</li>\n<li>Subscribe to the Tailscale <a href=\"https://tailscale.com/security-bulletins\">security bulletins</a> RSS feed to stay up-to-date on security notifications.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#organization-notifications\">Organization notifications</a></h3>\n<ul>\n<li>Set <a href=\"https://login.tailscale.com/admin/settings/contact-preferences\">contact preferences</a> to receive email notifications regarding account, configuration, and security updates. Use email addresses that go to a group of users rather than a single individual.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/reference/deployment-checklist#production-best-practices\">Production best practices</a></h2>\n<ul>\n<li>Understand how Tailscale and customers <a href=\"https://tailscale.com/docs/concepts/shared-responsibility\">share security responsibilities</a>.</li>\n<li>Implement <a href=\"https://tailscale.com/docs/reference/best-practices/production\">production best practices</a> related to <a href=\"https://tailscale.com/docs/reference/best-practices/security\">security</a>, <a href=\"https://tailscale.com/docs/reference/best-practices/performance\">performance</a>, and specific providers.</li>\n<li>Understand <a href=\"https://tailscale.com/docs/reference/connection-types\">direct vs relayed connections</a> and which <a href=\"https://tailscale.com/docs/reference/faq/firewall-ports\">firewall ports to open</a>, if any, to get the best performance from in your environment.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/reference/deployment-checklist#tailnet-management\">Tailnet management</a></h2>\n<p>The following sections detail how to manage your Tailscale network (known as a tailnet) at scale.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#general-settings\">General settings</a></h3>\n<ul>\n<li>Configure <a href=\"https://login.tailscale.com/admin/settings/general\">tailnet</a>, <a href=\"https://login.tailscale.com/admin/settings/user-management\">user management</a>, and <a href=\"https://login.tailscale.com/admin/settings/device-management\">device management</a> settings per your organization's needs and security policies.</li>\n<li>Manage your tailnet settings (such as device approval and key duration, DNS settings, log streaming and posture integrations, and more) with <a href=\"https://tailscale.com/docs/integration-infrastructure-as-code\">infrastructure-as-code</a> and <a href=\"https://tailscale.com/docs/gitops\">GitOps</a> to have an audit trail of changes to Tailscale access controls and configuration in your version control system with peer review of changes.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#tailnet-policy-file-management\">Tailnet policy file management</a></h3>\n<ul>\n<li>Manage your tailnet policy file (which includes access control policies, tags, and other settings) with <a href=\"https://tailscale.com/docs/integration-infrastructure-as-code\">infrastructure-as-code</a> and <a href=\"https://tailscale.com/docs/gitops\">GitOps</a>. This provides an audit trail of changes to Tailscale access controls and configuration in your version control system with peer review of changes.</li>\n<li>Review <a href=\"https://tailscale.com/docs/features/tags#common-patterns-for-tag-names\">common patterns for tag names</a> and implement consistent tags that represent access patterns and network segments for your devices.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/reference/deployment-checklist#user-management\">User management</a></h2>\n<p>The following sections detail how to manage users in your tailnet at scale, including user provisioning, role assignments, and authentication requirements.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#user-and-group-provisioning\">User and group provisioning</a></h3>\n<ul>\n<li>Configure <a href=\"https://tailscale.com/learn/what-is-scim\">System for Cross-domain Identity Management (SCIM)</a> with a supported provider to enable automatic <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">user and group provisioning</a>.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#tailscale-specific-roles\">Tailscale-specific roles</a></h3>\n<ul>\n<li>Transfer organization <a href=\"https://tailscale.com/docs/reference/user-roles#owner\">ownership</a> to an appropriate team member. Oftentimes, the person that created the tailnet is not who should be the owner long-term.</li>\n<li>Assign appropriate <a href=\"https://tailscale.com/docs/reference/user-roles\">Tailscale-specific roles</a> to team members based on their job function and responsibilities. Network admin, IT admin, and billing admin are common roles to assign.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/reference/deployment-checklist#device-management\">Device management</a></h2>\n<ul>\n<li>Set a <a href=\"https://tailscale.com/docs/features/access-control/key-expiry#setting-a-custom-authentication-period\">custom authentication period</a> to require users to re-authenticate with your identity provider per your company's security policies.</li>\n<li>Enable <a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">device identity collection</a> to accurately identify devices in your tailnet.</li>\n<li>Set <a href=\"https://tailscale.com/docs/features/device-posture#default-source-posture\">default source posture rules</a> to require minimum operating system and Tailscale client versions.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#edr-and-mdm-integrations\">EDR and MDM integrations</a></h3>\n<ul>\n<li>Configure Tailscale with your <a href=\"https://tailscale.com/docs/features/device-posture#edr-and-mdm-integrations\">EDR and MDM tool</a>.</li>\n<li>Define <a href=\"https://tailscale.com/docs/features/device-posture#device-posture-conditions\">device posture conditions</a> based on the node attributes available from your EDR and MDM tools.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#end-user-client-configuration\">End-user client configuration</a></h3>\n<ul>\n<li>Deploy Tailscale client applications to end-users using a <a href=\"https://tailscale.com/docs/mdm\">mobile device management (MDM)</a> solution.</li>\n<li>Enable <a href=\"https://tailscale.com/docs/features/client/update#auto-updates\">automatic client updates</a> for end-user devices to ensure employee devices stay up-to-date.</li>\n<li>Configure end-user client applications using <a href=\"https://tailscale.com/docs/features/tailscale-system-policies\">system policies</a> through your MDM solution. Review the full list of system policies to determine which options are important to your organization. Some common system policies include:\n<ul>\n<li>Force client behavior end-users will depend on:\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#set-whether-the-device-uses-tailscale-dns-settings\"><code>UseTailscaleDNSSettings</code></a> to always or never apply Tailscale DNS configuration when the tunnel is connected.</li>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#set-whether-the-device-accepts-tailscale-subnets\"><code>UseTailscaleSubnets</code></a> to always or never accept subnets advertised by other devices in your tailnet.</li>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#enable-gathering-device-posture-data\"><code>PostureChecking</code></a> to always or never gather device posture data.</li>\n</ul>\n</li>\n<li>Hide unused capabilities in the client menu such as:\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#hide-the-admin-console-menu-item\"><code>AdminConsole</code></a> to show or hide the Tailscale admin console menu.</li>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#hide-network-devices\"><code>HiddenNetworkDevices</code></a> to show or hide one or more categories of devices in the <strong>Network Devices</strong> menu.</li>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#hide-the-tailnet-lock-settings\"><code>ManageTailnetLock</code></a> to show or hide the <strong>Manage Tailnet Lock</strong> menu.</li>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#hide-the-exit-node-picker\"><code>RunExitNode</code></a> to show or hide the <strong>Run as Exit Node</strong> menu.</li>\n</ul>\n</li>\n<li>Provide information for how to get support from Tailscale administrators or your IT team:\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#set-an-info-message\"><code>ManagedByCaption</code></a> to specify a caption to be displayed in the <strong>Managed By</strong> section.</li>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#set-your-organization-name\"><code>ManagedByOrganizationName</code></a> to specify the name of the organization managing Tailscale, for instance \"XYZ Corp IT.\"</li>\n<li><a href=\"https://tailscale.com/docs/features/tailscale-system-policies#set-a-support-url\"><code>ManagedByURL</code></a> to specify a URL pointing to a help desk webpage or Slack channel.</li>\n</ul>\n</li>\n</ul>\n</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#server-configuration\">Server configuration</a></h3>\n<ul>\n<li>Automate server deployments using <a href=\"https://tailscale.com/docs/integration-infrastructure-as-code\">infrastructure-as-code</a> to provision devices in a repeatable manner less susceptible to human error.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/reference/deployment-checklist#monitoring\">Monitoring</a></h2>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#client-metrics\">Client metrics</a></h3>\n<ul>\n<li>Collect <a href=\"https://tailscale.com/docs/reference/tailscale-client-metrics\">client metrics</a> for use with your monitoring system from your subnet routers, exit nodes, app connectors, and other important devices.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#monitor-tailnet-changes\">Monitor tailnet changes</a></h3>\n<ul>\n<li>Configure <a href=\"https://tailscale.com/docs/features/webhooks\">webhooks</a> to receive important notifications to your central monitoring and alerting system—for example, your monitoring service or Slack. In particular, we recommend notifications for the following <a href=\"https://tailscale.com/docs/features/webhooks#events\">event types</a>:\n<ul>\n<li>Device misconfiguration: <code>exitNodeIPForwardingNotEnabled</code></li>\n<li>Device misconfiguration: <code>subnetIPForwardingNotEnabled</code></li>\n<li>Tailnet management: <code>nodeNeedsApproval</code></li>\n<li>Tailnet management: <code>userNeedsApproval</code></li>\n<li>Tailnet management: <code>userRoleUpdated</code></li>\n<li>Webhook management: <code>webhookUpdated</code></li>\n<li>Webhook management: <code>webhookDeleted</code></li>\n</ul>\n</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/reference/deployment-checklist#log-streaming\">Log streaming</a></h3>\n<ul>\n<li>\n<p>Configure <a href=\"https://tailscale.com/docs/features/logging/log-streaming\">log streaming</a> to stream configuration and network flow logs to your <a href=\"https://tailscale.com/learn/security-information-and-event-management\">Security Information and Event Management (SIEM)</a> system.</p>\n</li>\n<li>\n<p>Configure data retention of logs in your SIEM per your company's security policies.</p>\n</li>\n<li>\n<p>Configure alerts in your SIEM to notify you of noteworthy events. In particular, we recommend alerts for events related to settings changed through the Tailscale admin console:</p>\n</li>\n</ul>\n<pre><code class=\"language-json\">// Other fields omitted for brevity\r\n{\r\n    \"action\": \"CREATE\",\r\n    \"origin\": \"ADMIN_CONSOLE\",\r\n    // ...\r\n},\r\n{\r\n    \"action\": \"UPDATE\",\r\n    \"origin\": \"ADMIN_CONSOLE\",\r\n    // ...\r\n},\r\n{\r\n    \"action\": \"DELETE\",\r\n    \"origin\": \"ADMIN_CONSOLE\",\r\n    // ...\r\n},\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}