• 29 Apr 2024
  • 3 Minutes to read
  • Contributors


      Article summary


      This guide will help you establish a Site-to-Site VPN tunnel between your Harmony SASE network and your FortiGate Devices environment.

      Breakdown of topics

      1. Pre-requisites
      2. Configuration Steps
      3. Verifying the Setup
      4. Troubleshooting
      5. Support Contacts


      To successfully follow this guide, ensure that:

      1. You have an active Harmony SASE account and network.
      2. The Harmony SASE app is installed on your devices.
      3. You have access to an active FortiGate Devices account with the necessary administrative permissions.

      Configuration Steps

      1. Under Network in the Management Platform on the left side, select the name of the network in which you'd like to set the tunnel.
      2. Locate the desired gateway, and select the three-dotted menu (...).
      3. Select Add Tunnel and then IPSec Site-2-Site Tunnel.
      4. In the General Settingssection fill in the following information:
        • Name: Choose whatever name you find suitable for the tunnel.
        • Shared Secret: Insert a string of your own or use Generate.
        • Public IP: Insert the public IP of the FortiGate device.
        • Remote ID: Insert the remote ID of the FortiGate device.
        • Harmony SASE Gateway Proposal Subnets: by default, this should be set to 10.XXX.0.0/16 (do not set to any).
        • Remote Gateway Proposal Subnets: click "Specified Subnets" and specify according to your local LAN Subnets.
      5. At the Advanced Settingssection complete the following information:
        • IKE Version: V2
        • Diffie-Hellman Groups (Phase 1): 21
        • Diffie-Hellman Groups (Phase 2): 21
          Leave the rest of the fields with the default values (as shown in the attached image).

      Configuring the tunnel in the FortiGate Management Interface

      1. Open the FortiGate Management Interface.
      2. In the left panel, select VPN, then IPsec Tunnels, and select Create New.
      3. In the VPN Creation Wizard window set the Name to Harmony SASE (or any other name you desire), the Template Type to Custom tab, and select Next.
      4. Fill in the following information:
        Network Section:
      • IP Version: IPv4
      • Remote Gateway: Static IP Address
      • IP Address: Insert the public IP of the location server
      • Interface: select your WAN interface
      • Mode Config: unchecked
      • NAT Traversal: Disable
      • Dead Peer Detection: On-Demand
      Note about NAT Traversal
      In rare cases the tunnel stops responding while still displaying itself as up and running on both sides - we found that changing NAT Traversal to Enabled can resolve it.

      Authentication section:

      • Method: Pre-shared Key
      • Pre-shared Key: Insert the Shared Key you chose in Step 1
      • IKE Version: 2
      • Mode: Main (ID protection)

      Phase 1 Proposal section:

      • Encryption: AES256
      • Authentication: SHA256
      • Diffie-Hellman Group: 21
      • Key Lifetime (seconds): 28800
      • Local ID: leave blank
      • XAUTH Section: leave disabled

      Phase 2 Selectors (+Advanced) section:

      • Name: Harmony SASE
      • Local Address: Your Local network Subnet
      • Remote Address: Harmony SASE network Subnet, Usually:
      • Enable Replay Detection: Checked
      • Enable Perfect Forward Secrecy (PFS): Checked
      • Diffie-Hellman Group:21
      • Encryption: AES256
      • Authentication: SHA256
      • Local Port: Checked
      • Remote Port: Checked
      • Protocol: Checked
      • Key Lifetime: Seconds
      • Seconds: 3600

      Configuring firewall and static routing

      It is necessary to add static routes from the Harmony SASE subnet (10.XXX.0.0/16) to the local network and from the local network to the Harmony SASE subnet (10.XXX.0.0/16) to the local network through the VPN tunnel gateway.

      1. Go to Network -> Routing -> Static Routes -> Create new -> Route.

      2. Set Destination to 10.XXX.0.0/16 and the Device: Harmony SASE (or any other name you chose for the tunnel).

      1. Select OK.
      2. It is necessary to add firewall rules to allow traffic from the Harmony SASE subnet ( to your local network or services you desire.
        Go to Policy & Objects -> IPv4 Policy and select Create New.
      3. Fill in the following information:
      • Name: Harmony SASE
      • Incoming Interface: Harmony SASE
      • Outgoing Interface: Your local network object
      • Source: All
      • Destination: All
      • Schedule: Always
      • Service: All
      • NAT: Disabled

      If any additional settings appear, leave them in their default status.
      3. Select OK.

      Verifying the Setup

      1. In the FortiGate Management Interface, go to VPN -> IPSec Tunnels. If the tunnel is up, the line will appear in the table:

      After following the above steps, your tunnel should be active.
      To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
      It should indicate that the tunnel is "Up", signifying a successful connection.
      Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.


      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at, or you can email us at We're here to assist you and ensure your VPN tunnel setup is a success

      Was this article helpful?

      What's Next