---
title: "Enhanced Network"
slug: "creating-a-enhanced-network"
updated: 2026-04-07T10:24:51Z
published: 2026-04-07T10:24:51Z
canonical: "support.perimeter81.com/creating-a-enhanced-network"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Enhanced Network

An Enhanced Network offers better scalability and easier management.

## **Benefits**

- **Improved scalability**:
  - Support more users per network.
  - Higher throughput per tunnel
  - Up to **eight** parallel terminations for redundant IPSec tunnels. This offers better resiliency, load sharing, and overall scale compared to Standard Networks, which support only two parallel terminations.
  - Ability to define tunnel bandwidth for better traffic optimization and capacity planning.
- **Simplified management**:
  - Each region uses a single public IP address, regardless of scale. This removes the need to manage multiple public IP addresses.
  - Capacity in a region can be quickly adjusted by adding or removing **Scale Units**, the virtual equivalent of gateways in Standard Networks.
- **Enhanced user interface**: Improved network management interface, making it easier to create and maintain IPSec tunnels.
- **Early access to features**: New features and bug fixes are released first or exclusively to Enhanced Networks.

## **Supported Regions**

Enhanced Networks are supported in these regions:

| North America - Ashburn - Atlanta - Boston - Chicago 2 - Dallas - Dallas 2 - Denver - Honolulu - Los Angeles 1 - Los Angeles 2 - Miami - New Jersey - New York 1 - New York 3 - Seattle - Silicon Valley 1 - Silicon Valley 2 - Toronto 3 - Vancouver | EMEA - Amsterdam 2 - Brussels 1 - Dubai - Frankfurt 1 - Frankfurt 4 - Israel 1 - Israel 2 - Istanbul - Johannesburg - London 1 - London 3 - London 4 - Madrid 2 - Manchester 1 - Manchester 2 - Paris - Stockholm 2 - Vienna - Warsaw 2 - Zurich | APAC - Auckland - Bangalore 2 - Hong Kong - Melbourne 1 - Mumbai 2 - New Delhi - Osaka - Perth, Australia - Seoul - Singapore 3 - Sydney 1 - Taipei - Tokyo 1 | LATAM - Mexico City - Santiago 1 - Sao Paulo 2 |
| --- | --- | --- | --- |

## High Level Procedure

1. [Create an Enhanced Network and add Regions](/v1/docs/creating-a-enhanced-network#creating-an-enhanced-network)
2. [Add a Tunnel](/v1/docs/creating-a-enhanced-network#adding-a-tunnel)
  1. [Choose Tunnel Type](/v1/docs/creating-a-enhanced-network#choosing-tunnel-type)
    - [Dynamic Routing](/v1/docs/creating-a-enhanced-network#dynamic-routing-configuration)
    - [Static Routing](/v1/docs/creating-a-enhanced-network#static-routing)

## **Creating an Enhanced Network**

1. Access the Check Point SASE Administrator Portal and click **Networks.**
2. Click **Create Network**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Networks(1).png)
3. Select **Enhanced Network**and click **Continue**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Select network.png)
4. Enter the network details:

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Network name.png)
  1. **Network name:** Name for your network. For example, HQ, Finance, or Staging.
  2. **Icon:** By default, the network icon ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-KCU9E9UA.png) is applied. If you do not choose one, click **Browse** to select one.
  3. **Region:** Region to deploy the Check Point SASE gateway.

> Recommended to choose a region closest to your sites and members.
  4. **Scale Units:** The number of gateways you want to deploy in the region.

> Scale Unit is a virtual network component that allows defining the expected capacity in each network region. One Scale Unit's expected capacity is similar to the capacity of a single Standard Network Gateway.
> 
> Each Scale Unit consumes one Gateway License.
  5. (Optional)**Add Region**: To add more regions, click **Add Region** and repeat steps c and d.
  6. (Optional) **Network Tags:** Add tags to identify the purpose or team.
  7. (Optional) **Subnet:** By default the network subnet IP address is 10.255.0.0/16. For information on possible subnets and bit masks, see [sk182225](https://support.checkpoint.com/results/sk/sk182225).

> [!WARNING]
> You cannot change the subnet after creation. Ensure it does not overlap with SD-WAN device subnets.
  8. By default the **Activate Regions For Users** checkbox is selected. If you want to deactivate the region, disable it.
5. Click **Create Network**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-8OF7HCOS.png)

The system shows the progress of the network status on the **Networks** page. After the network is created, proceed with [Adding a Tunnel](/v1/docs/creating-a-enhanced-network#adding-a-tunnel).

## Adding a Tunnel

1. In the **Networks** page, select your Enhanced Network.
2. For the region to which you want to add the tunnel, click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3-dots.png) and click **Add Tunnel**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Add Tunnel.png)
3. Enter these details:
  1. **Tunnel Name**
  2. **Add Short Tunnel description**
  3. **Add Tunnel Estimated Maximum Bandwidth**

Specify the expected peak throughput of the tunnel communication in Mbps.
    - **Range**: 10–8000 Mbps
    - **Typical connection**: 1000 Mbps
  4. By default the **Enable DNS Services** is enabled. Disable if you want to deactivate the DNS services.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-BTIUSDAA.png)
    - Enable: Activates Check Point SASE’s DNS services, including Private DNS and DNS Filtering on all tunnel traffic.
    - Disable: No DNS services for Site to Site tunnel traffic.
4. Click **Continue.**

The **Choose Tunnel Type** window appears.
5. Select your preferred [Tunnel Type](/v1/docs/creating-a-enhanced-network#choosing-tunnel-type).

### Choosing Tunnel Type

1. In the **Choose Tunnel Type** window, select one of these:

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Choose Tunnel Type.png)
  - **Dynamic Routing (Recommended)**:
    - High availability, active-active architecture.
    - Requires at least two regions.
    - Supports up to eight IPSec terminations for resiliency and load sharing.
  - **Static Routing**:

Single IPSec tunnel between Check Point SASE and your site.
2. Click **Continue.**

Refer:
  - [Dynamic Routing (Recommended)](/v1/docs/creating-a-enhanced-network#dynamic-routing-configuration)
  - [Static Routing](/v1/docs/creating-a-enhanced-network#static-routing)

#### Dynamic Routing

1. In **Dynamic Tunnel Configuration** window, **Select Region** section:

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-C0DSMXHP.png)You can add up to eight parallel IPSec terminations for resiliency and load sharing.
  - For the first tunnel, the Region is selected by default.
  - For the second tunnel, select the Region from the list.
2. Make sure**Authentication Method**is **Shared Secret** and enter **Shared Secret** key.
3. Enter these details:
  1. **SASE Tunnel Internal IP**
  2. **Site Public IP:**Public IP address of the second end of the tunnel.
  3. **Site ID:**In most cases, the ID of the tunnel is its public IP. However, it must be configured to the same value on both ends.
  4. **Site Gateway Internal IP**
  5. **Site Gateways ASN**
4. Click **Continue**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-MBWIYNMT.png)

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-OUX3IWJM.png)

The **IPSec Configuration** window appears.
5. By default **Check Point SASE Proposed Subnets** is **Any (0.0.0.0/0).**

> The IPSec network selector should be configured to the same value at both ends of the tunnel.
6. Enter **Site** **Subnets**.
7. Enter **Autonomous System Number (ASN).**

> The Autonomous System Number (ASN) is required for the Border Gateway Protocol (BGP).
8. In **Recommended Defaults**, the values are by default based on the service provider. For more details, refer [Connect Cloud Resources](https://support.perimeter81.com/docs/connect-cloud-resources-1) and [Connect On-Prem Resources](/v1/docs/connect-on-prem-resources).
9. Click **Continue**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Tunnel Creation Summary Dynamic.png)

The **Tunnel Creation Summary** window appears. You can see all the configuration details.
10. (Optional) Click **Export Configurations** to download configuration json file.
11. Click **Complete**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-V6ITREIG.png)

The tunnel is created and listed in your **Networks** page.

#### Static Routing

1. In the**Import Configurations** window, select **Manual Configuration** and click **Continue**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-90X2U2LC.png)
2. In the Tunnel Configuration window, the **Authentication Method** is selected as **Shared Secret**by default.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Tunnel Configuration 1.png)
3. Click **Generate** to get the Shared Secret key.
4. Enter **Site Public IP:**It is the Public IP address of the second end of the tunnel.
5. (Optional)**Site ID:** In most cases, the ID of the tunnel is its public IP. However, it must be configured to the same value on both ends.
6. By default **Check Point SASE Proposed Subnets**is selected as **Any (0.0.0.0/0).**

1. By default **Remote Gateway Proposed** **Subnets** is **Any (0.0.0.0/0).**

> It is not recommended to use Specified Subnets or Policy Based Routing. Consider using **Any (0.0.0.0/0)**, Route Based instead.
2. Enter **Subnets**.
3. Click **Continue**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-FBDC8PGV.png)
4. In **IPSec Configuration** window, the values are by default based on the service provider. For more details, refer [Connect Cloud Resources](https://support.perimeter81.com/docs/connect-cloud-resources-1) and [Connect On-Prem Resources](/v1/docs/connect-on-prem-resources).
5. Click **Continue**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-NXCD8APS.png)

The **Tunnel Creation Summary** window appears. You can see all the configuration details.
6. (Optional) Click **Export Configurations** to download configuration json file.
7. Click **Complete**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-V6ITREIG.png)

The tunnel is created and listed in your Networks page.

## Managing a Network

### Editing a Network

1. Access the Check Point SASE Administrator Portal and click **Networks**.
2. Select the network.
3. Click![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3-dots.png) and then click **Edit Network**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-NYGGY9IV.png)

The Edit Network window appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-FVOSU4SM.png)
4. Make the required changes (**Network name**, **Network tags**, **Icon**) and click **Save**.

> You cannot change the Subnet after network creation.

### Adding Regions

1. Access the Check Point SASE Administrator Portal and click **Networks**.
2. Select the network.
3. Click![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3-dots.png) and then click **Edit Network**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-LKBEZU2T.png)

The **Add Region** window appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-PO5K1Q0B.png)
4. From the **Region**list, select the region to deploy the Check Point SASE gateway.
5. In the **Scale Units** field, enter the number of gateways you want to deploy in the region.
6. To add more regions, click **Add Region** and repeat steps 4 and 5.
7. To activate the region for users, select the **Activate Regions For Users** checkbox.
8. Click **Add Region**.

### Managing Access

Manage Access allows you to select the member groups who can access the network.

**To manage access to a network:**

1. Access the Check Point SASE Administrator Portal and click **Networks**.
2. Select the network.
3. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3-dots.png) and then click **Manage Access**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-A55GPIN3.png)

The **Manage Access** window appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-DXB41REL.png)
4. From the list, select the member groups who can access the network.
5. To remove a member group, click **Remove**.
6. Click **Apply**.

## Managing Tunnels

In Enhanced Networks, all tunnel operations happen at the Region level (not on gateways).

### Editing a Tunnel

1. In the **Networks** page, select your Enhanced Network.
2. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3-dots.png) and click **Edit Tunnel**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-KXJO7PHD.png)

The **Edit Tunnel** pop up appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-RSSIQLRC.png)
3. Make the required changes and click **Apply Changes**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-OQ1MEGNK.png)

> **For Tunnel Configurations:**
> 
> - You cannot add and delete terminations in the same edit session.
> - You cannot move a termination to a different region, delete or re-add it.
> - Ensure the region has enough Scale Units before adding terminations.
> 
> **For IPSec settings:**
> 
> - Use vendor recommendations unless you have a specific compliance requirement.
> - Incorrect IPSec settings can cause tunnel failure, validate changes before applying.

### Viewing Tunnel Details

1. In the **Networks** page, select your Enhanced Network.
2. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3-dots.png) and click **View Tunnel**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-XFQDU992.png)

The Tunnel Details pop up appears. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-L50AV8XZ.png)

### Delete a Tunnel

1. In the **Networks** page, select your Enhanced Network.
2. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3-dots.png) and click **Delete Tunnel**.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-8LGYZQJG.png)

The **Delete Dynamic Tunnel** pop up appears.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-VNC7NUMR.png)
3. Click **Delete.**

> [!NOTE]
> Notes:
> 
> - Make sure no active traffic depends on the tunnel before you delete it.
> - You can delete individual terminations or the entire dynamic tunnel.
> - Once you start a delete operation, you cannot add new terminations in the same session.

## **Support Contacts**

If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.