Enhanced Network

  • Updated on Dec 30, 2025
  • Published on Dec 30, 2025
  • 6 minute(s) read
  • R
 Prev Next

An Enhanced Network offers better scalability and easier management.

Benefits

  • Improved scalability:

    • Support for more users per network

    • Higher throughput per tunnel

    • Up to eight parallel terminations for redundant IPSec tunnels. This offers better resiliency, load sharing, and overall scale compared to Standard Networks, which support only two parallel terminations.

  • Simplified management:

    • Each region uses a single public IP address, regardless of scale. This removes the need to manage multiple public IP addresses.

    • Capacity in a region can be quickly adjusted by adding or removing Scale Units, the virtual equivalent of gateways in Standard Networks.

  • Enhanced user interface:
    Improved network management interface, making it easier to create and maintain IPSec tunnels.

  • Early access to features:
    New features and bug fixes are released first or exclusively to Enhanced Networks.

  • Exclusive security features:
    Site Security is available only on Enhanced Networks.

Enhanced Network is available in Early Availability (EA) only. To enable, contact Check Point Support.

Supported Regions

Enhanced Networks are supported in these regions:

North America

  • Ashburn

  • Atlanta

  • Boston

  • Chicago 2

  • Dallas

  • Dallas 2

  • Denver

  • Honolulu

  • Los Angeles 1

  • Los Angeles 2

  • Miami

  • New Jersey

  • New York 1

  • New York 3

  • Seattle

  • Silicon Valley 1

  • Silicon Valley 2

  • Toronto 3

  • Vancouver

EMEA

  • Amsterdam 2

  • Brussels 1

  • Dubai

  • Frankfurt 1

  • Frankfurt 4

  • Israel 1

  • Israel 2

  • Johannesburg

  • London 1

  • London 3

  • London 4

  • Madrid 2

  • Manchester 1

  • Manchester 2

  • Paris

  • Stockholm 2

  • Vienna

  • Warsaw 2

  • Zurich

APAC

  • Bangalore 2

  • Delhi

  • Melbourne 1

  • Mumbai 2

  • Osaka

  • Seoul

  • Singapore 3

  • Sydney 1

  • Tokyo 1

LATAM

  • Mexico City

  • Santiago 1

  • Sao Paulo 1

High Level Procedure

  1. Create an Enhanced Network and add Regions

  2. Add a Tunnel

    1. Choose Tunnel Type

Creating an Enhanced Network

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Click Create Network.

  3. Select Enhanced Network and click Continue.

  4. Enter the network details:

    1. Network name: Name for your network. For example, HQ, Finance, or Staging.

    2. Icon: By default the network icon    is applied. If you do not choose one, click Browse to select an icon.

    3. Region: Region to deploy the Harmony SASE gateway.

      Recommended to choose a region closest to your sites and members.

    4. Scale Units: The number of gateways you want to deploy in the region.

      Scale Unit is a virtual network component that allows defining the expected capacity in each network region. One Scale Unit's expected capacity is similar to the capacity of a single Standard Network Gateway.

      Each Scale Unit consumes one Gateway License.

    5. (Optional) Add Region: To add more regions, click Add Region and repeat steps c and d.

    6. (Optional) Network Tags: Add tags to identify the purpose or team.

    7. (Optional) Subnet: By default the network subnet IP address is 10.255.0.0/16. For information on possible subnets and bit masks, see sk182225.

      You cannot change the subnet after creation. Ensure it does not overlap with SD-WAN device subnets.

    8. By default the Activate Regions For Users checkbox is selected. If you want to deactivate the region, disable it.

  5. Click Create Network.

    The system shows the progress of the network status on the Networks page. After the network is created, proceed with Adding a Tunnel.

Adding a Tunnel

  1. In the Networks page, select your Enhanced Network.

  2. For the region to which you want to add the tunnel, click and click Add Tunnel.

  3. Enter these details:

    1. Tunnel Name

    2. Add Short Tunnel description

    3. By default the Enable DNS Services is enabled. Disable if you want to deactivate the DNS services.

      • Enable: Activates Harmony SASE’s DNS services, including Private DNS and DNS Filtering on all tunnel traffic.

      • Disable: No DNS services for Site to Site tunnel traffic.

  4. Click Continue.

    The Choose Tunnel Type window appears.

  5. Select your preferred Tunnel Type.

Choosing Tunnel Type

  1. In the Choose Tunnel Type window, select one of these:

    • Dynamic Routing (Recommended):

      • High availability, active-active architecture.

      • Requires at least two regions.

      • Supports up to eight IPSec terminations for resiliency and load sharing.

    • Static Routing:

      Single IPSec tunnel between Harmony SASE and your site.

  2. Click Continue.

    Refer:

Dynamic Routing

  1. In Dynamic Tunnel Configuration window, Select Region section:

    • For the first tunnel, the Region is selected by default.

    • For the second tunnel, select the Region from the list.

    You can add up to eight parallel IPSec terminations for resiliency and load sharing.

  2. Make sure Authentication Method is Shared Secret and enter Shared Secret key.

  3. Enter these details:

    1. SASE Tunnel Internal IP

    2. Site Public IP: Public IP address of the second end of the tunnel.

    3. Site ID: In most cases, the ID of the tunnel is its public IP. However, it must be configured to the same value on both ends.

    4. Site Gateway Internal IP

    5. Site Gateways ASN

  4. Click Continue.

    The IPSec Configuration window appears.

  5. By default Harmony SASE Proposed Subnets is Any (0.0.0.0/0).

    The IPSec network selector should be configured to the same value at both ends of the tunnel.

  6. Enter Site Subnets.

  7. Enter Autonomous System Number (ASN).

    The Autonomous System Number (ASN) is required for the Border Gateway Protocol (BGP).

  8. In Recommended Defaults, the values are by default based on the service provider. For more details, refer Connect Cloud Resources and Connect On-Prem Resources.

  9. Click Continue.

    The Tunnel Creation Summary window appears. You can see all the configuration details.

  10. (Optional) Click Export Configurations to download configuration json file.

  11. Click Complete.

    The tunnel is created and listed in your Networks page.

Static Routing

  1. In the Import Configurations window, select Manual Configuration and click Continue.

  2. In the Tunnel Configuration window, the Authentication Method is selected as Shared Secret by default.

  3. Click Generate to get the Shared Secret key.

  4. Enter Site Public IP: It is the Public IP address of the second end of the tunnel.

  5. (Optional) Site ID: In most cases, the ID of the tunnel is its public IP. However, it must be configured to the same value on both ends.

  6. By default Harmony SASE Proposed Subnets is selected as Any (0.0.0.0/0).

  1. By default Remote Gateway Proposed Subnets is Any (0.0.0.0/0).

    It is not recommended to use Specified Subnets or Policy Based Routing. Consider using Any (0.0.0.0/0), Route Based instead.

  2. Enter Subnets.

  3. Click Continue.

  4. In IPSec Configuration window, the values are by default based on the service provider. For more details, refer Connect Cloud Resources and Connect On-Prem Resources.

  5. Click Continue.

    The Tunnel Creation Summary window appears. You can see all the configuration details.

  6. (Optional) Click Export Configurations to download configuration json file.

  7. Click Complete.

    The tunnel is created and listed in your Networks page.

Managing a Network

Editing a Network

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click and then click Edit Network.

    The Edit Network window appears.

  4. Make the required changes (Network name, Network tags, Icon) and click Save.

    You cannot change the Subnet after network creation.

Adding Regions

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click and then click Edit Network.

    The Add Region window appears.

  4. From the Region list, select the region to deploy the Harmony SASE gateway.

  5. In the Scale Units field, enter the number of gateways you want to deploy in the region.

  6. To add more regions, click Add Region and repeat steps 4 and 5.

  7. To activate the region for users, select the Activate Regions For Users checkbox.

  8. Click Add Region.

Managing Access

Manage Access allows you to select the member groups who can access the network.

To manage access to a network:

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click  and then click Manage Access.

    The Manage Access window appears.

  4. From the list, select the member groups who can access the network.

  5. To remove a member group, click Remove.

  6. Click Apply.

Managing Tunnels

In Enhanced Networks, all tunnel operations happen at the Region level (not on gateways).

Editing a Tunnel

  1. In the Networks page, select your Enhanced Network.

  2. Click and click Edit Tunnel.

    The Edit Tunnel pop up appears.

  3. Make the required changes and click Apply Changes.

    For Tunnel Configurations:

    • You cannot add and delete terminations in the same edit session.

    • You cannot move a termination to a different region, delete or re-add it.

    • Ensure the region has enough Scale Units before adding terminations.

    For IPSec settings:

    • Use vendor recommendations unless you have a specific compliance requirement.

    • Incorrect IPSec settings can cause tunnel failure, validate changes before applying.

Viewing Tunnel Details

  1. In the Networks page, select your Enhanced Network.

  2. Click and click View Tunnel.

    The Tunnel Details pop up appears.

Delete a Tunnel

  1. In the Networks page, select your Enhanced Network.

  2. Click and click Delete Tunnel.

    The Delete Dynamic Tunnel pop up appears.

  3. Click Delete.

Notes:

  • Make sure no active traffic depends on the tunnel before you delete it.

  • You can delete individual terminations or the entire dynamic tunnel.

  • Once you start a delete operation, you cannot add new terminations in the same session.

Support Contacts

If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at sase.checkpoint.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.