• 30 Jan 2024
  • 8 Minutes to read
  • Contributors


      Article Summary

      Q. What is Harmony SASE?

      • Harmony SASE is a cloud-based Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce. It incorporates the Zero Trust and Software-Defined Perimeter models. For more information regarding it's features, we recommend going over our "Getting Started" page.

      Q. What are Harmony SASE's key features?

      • Software-Defined Perimeter (SDP): SDP technology creates a dark network where all resources are hidden and inaccessible to unauthorized users. Each user must authenticate and be validated before gaining access, essentially following a "zero trust" model.
      • Zero Trust Network as a Service (ZTNA): Zero Trust Network is an IT security model that requires all users, even those inside the organization's network, to be authenticated, authorized, and continuously validated before being granted or keeping access.
      • Secure Cloud and Network Access: Harmony SASE allows businesses to create their own dedicated, cloud-based networks. Users can then securely access these networks from anywhere, making it ideal for remote teams.
      • Automatic Wi-Fi Security: This feature immediately encrypts user data the moment a device connects to an unsecured Wi-Fi network, ensuring that sensitive business information is always kept safe.
      • Single Sign-On (SSO) Integration: Harmony SASE integrates with various SSO providers, simplifying the login process and reducing the risk of password-related security incidents.
      • Two-Factor Authentication (2FA): This additional layer of security ensures that users must provide two forms of identification before they can access your business's network.
      • Role-Based Access Control (RBAC): You can manage and control network access on a per-role basis, giving certain users more access privileges than others based on their role in your company.
      • Cross-Platform Applications: Harmony SASE provides native applications for all major platforms, ensuring secure access for all users, regardless of the device or operating system they use.

      Q. How do I get started with Harmony SASE?

      • Create your Network: This involves setting up your secure network, which includes regions and private gateways.
      • Connect your On-Prem and Cloud Infrastructure: You can deploy site-to-site tunnels to securely connect your local and cloud resources.
      • Invite your Employees: Integrate with your Identity Provider and invite your users. Create or import your user groups and build user-centric network or application policies accordingly.
      • Set Up Secure Access Rules (Zero Trust Network Access): Download and deploy Harmony SASE's agents to your organization-managed devices. Configure agent-less access, Zero Trust Applications, user-centric firewall policies, device posture check rules.
      • Set Up Secure Internet Rules (Secure Web Gateway): Configure the Web Security policies and set up Bypass Rules for traffic that should not be inspected. Advanced Malware Protection will be enabled by default.
      • Watch your Network: Track member activities and alerts, active sessions, user devices, compliance status, malware reports, web activity reports, network firewall logs, and more.

      Q. How do I create a Network on Harmony SASE?

      1. Select 'Create Network' on the Networks tab.
      2. Fill in the following information:
        • Network Name: A name for the Network you are building.
        • Icon: Use the default or select an icon of your choice.
        • Region: The region is where the gateway will be deployed.
        • Gateways: The number of gateways you want to deploy in a particular region.
        • Network Tags: Use tags to help identify the different purposes and/or teams your Network will support.
        • Subnet: Optional. If the subnet is not specified, it will receive a default value of

      Please note that the subnet cannot be changed after its creation. Ensure the selected Subnet won't overlap with the subnets you use in your on-premises and cloud-based networks.

      Q. How can I add additional regions to my network?

      • To add a Region to your Network, select the three-dotted menu (...) to the right of your Network and choose 'Add Region'. On the 'Add Region' screen, choose from the available Regions and select the desired number of Gateways (limited to the number of available licenses).

      Q. Why do I lose connection to the Harmony SASE agent, or have disconnection issues when I make changes to tunnels or gateways?

      • When you make a change to your gateway (add/remove/update tunnels) these changes will need to be replicated on the gateway, as such, whenever you perform one of the actions above, your gateway will need to momentarily restart the service and any active connections will be severed until the service fully restarts.
      • You and your users will be momentarily disconnected after a change or update but this will only be as long as it takes for the tunnel to commit the changes.
      • We recommend any maintenance on tunnels or gateways be performed after business hours to avoid any service disruptions, as well as to minimize downtime.

      Q. What private IP space will my Harmony SASE network be a part of?

      • The workspace Admin decides this when creating the network.
      • A single network will be a subnet on any private IP range (10.0-255.0.0/8, 172.16-31.0.0/12, varying from /22 to /12 depending on the number of gateways the network be able to support.
      • Every gateway will have 1024 IP addresses reserved, hence our highest mask (/22) will only allow for the creation of a single gateway. The lowest mask (/12) will allow for the creation of up to 1024 Gateways.
      • Our default subnet with a mask is
      Subnet Sizing
      • 10.0-255.0.0/8 range should have a minimum of /22 and a maximum of /12 - a /22-bit mask allows a single Harmony SASE Gateway, and /12 allows up to 1024 Gateways.
      • 172.16-31.0.0/12 range should have a minimum /22 and maximum /12 - a /22-bit mask allows a single Harmony SASE Gateway, and /12 allows up to 1024 Gateways.
      • range should have a minimum /22 and maximum /16 - a /22-bit mask allows a single Harmony SASE Gateway, and /16 allows up to 64 Gateways.

      You can see below how the corresponding CIDR range will affect the planning of your Harmony SASE network. Be sure not to set your range too high if you plan on adding gateways later for scalability, or else you will have to delete the network to adjust the range.

      CIDR RangeNumber of Gateways

      Q. How can I ensure my users are connected to the VPN?

      Here is a list of features the workspace Admin can activate within The user's VPN client configuration to ensure the users are connected to the VPN when the Admin needs them to:

      • Automatic Wi-Fi Security - This feature checks if the user is connected to an "Unsecured" Wi-Fi network, if the Harmony SASE Client is on and an unsecured network is detected, they are automatically connected to the VPN.
      • Trusted Wi-Fi Networks - This is a list of exceptions for the "Automatic Wi-Fi Security" feature. Enter an SSID of an "Unsecured" network to not trigger an automatic connection to the VPN.
      • Trusted Wired Networks - This is a list of exceptions for the "Always On" feature. Enter the name of a local network and the MAC address of its' router to not trigger an automatic connection to the VPN.
      • Always-ON - This feature does not let the user disconnect from the VPN, it disables the "Disconnect" button and requires a special code to exit the VPN.
      • Kill Switch- To avoid data leaks, if any disconnection is detected with the VPN (even one caused by the local internet connection, like a slight disconnection to the Wi-Fi) the computer's internet connection is turned off, and the user is no longer able to use the internet.
        • We recommend turning the Kill Switch feature off unless specifically requiredas it may not be pleasant for non-technical users.

      Q. How can I improve the File Sharing Speed I get using Microsoft Windows?

      Due to known limitations with SMB protocol (this is the protocol used by Microsoft Windows for sharing files), there might be latency issues when downloading files or accessing a Shared remote Windows resource.

      The issue reported is usually something along the lines of this:
      • Internet connections are stable and have decent speed.
      • Other file transfers like FTP are fine.
      • File transfers using Windows file shares (i.e., SMB or CIFS) are slow
      IT Engineers can perform the following tests to verify the problem:
      • The ping test shows a normal connection speed
      • iPerf on SMB ports to the affected resource show slow responses

      To improve SMB speeds over VPN, there are a few steps we can recommend:

      1. Moving away from a Wireguard Site-to-Site connection on a standalone machine in the network which depends on NAT rules (Wireguard Connector) to reach the internal LAN, to a Traditional IPsec Site-to-Site Tunnel which is connected to the actual Router has been shown to improve SMB connection speed.
      2. Fine-tuning the SMB Server
      External links from Microsoft regarding fine-tuning an SMB server:
      1. Review MTU sizes of all the interfaces on the way (the Maximum Transmission Unit size indicates how long the packet allowed on the interface is) and make sure they all match:

      • To check MTU size via Powershell:
        netsh interface ipv4 show subinterface
      • To Change MTU size on Interface "Local Area Connection" (might be named differently on your system) to 1420, via Powershell:
        netsh interface ipv4 set subinterface “Local Area Connection” mtu=1420 store=persistent

      Q. What IP will be displayed in the agent when the split tunneling is enabled?

      The agent will display your local ISP's public IP:
      When split tunneling is enabled, the agent adds a route that directs traffic to subnets that are listed under the split tunneling settings. The rest of the traffic is routed through a local ISP.

      Q. After activating SMS Multi-Factor Authentication I get the below error when trying to access the platform, how can I resolve this error?

      You may occasionally run into the error when trying to log in to Harmony SASE: "We could not send the SMS. Please try the recovery code".  This error may occur when you reach the 10 SMS per hour limitation. We use active brute force protection, users that attempt to log in multiple times or failed to enter the correct code multiple times may encounter this error.
      To resolve it, you can either use your recovery code or wait 1 hour until the limit resets.

      Was this article helpful?