• 30 Jan 2024
  • 2 Minutes to read
  • Contributors


      Article summary

      The Harmony SASE SASE Network offers several different ways to connect your cloud/on-premises infrastructure. While our solution is hardware-free, there are some minimal requirements for a successful Site-to-Site connection which will be covered in the following article:

      • Internal network-compliant subnet
      • IPsec tunneling supporting router
      • Wireguard Tunnel uses a Linux Server that is free to host the connection (it can be a Virtual Machine)

      Internal Network Subnet

      The Harmony SASE SASE network is designed according to internationally acknowledged standards and follows the RFC conventions regulated by the American internet authorities. In order to successfully incorporate Harmony SASE in your architecture please make sure that:

      1. Your internal network follows industry-accepted design patterns.
      2. VPCs or DC with overlapping subnets do not reside in the same network.
      3. Your Harmony SASE Network subnet does not overlap with your network subnet.
      4. All subnet masks are either class B or C (HIGHLY RECOMMENDED).
      5. (recommended - not a must) Your internal network has a static public IP.
      Warning and are the most commonly used subnets for IoT applications,
      If you plan to connect a site with this CIDR, you might experience an IP conflict with users trying to reach this from home.

      You may want to change it to anything else (for example or prior to connecting a site to your Harmony SASE network.

      A Site-to-Site connection between your Harmony SASE Network and your Cloud infrastructure can be easily implemented with any IaaS provider, however, if you'd like to connect to your on-premises infrastructure make sure that at least one of the following requirements is fulfilled.

      IPSec Tunneling Support

      Make sure your edge device (firewall or router) supports IPSec point to point tunneling using IKEv2.  IPSec passthrough devices will not work.
      If you are not sure, you can search our "Connect On-Prem Resources" section or look at the manufacturer's official documentation.
      If it is not supported, or if you prefer avoiding adjustments in your Firewall or Router Interface, move on to the next step.

      Wireguard Server

      A Site-to-Site connection can also be achieved by deploying a Harmony SASE connector on a virtual/bare-metal server which is able to connect to your desired resources fulfilling the following requirements:


      1. Kernel: Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, 23.04, CentOS 7, or CentOS 8 (RedHat distributions)
      2. Packages installed: (UBUNTU) curl; dig; software-properties-common or (CentOS) curl, bind-utils
      3. Free Disc Space: 20 GB available
      4. Free Memory: 2GB RAM
      5. A static internal IP address
      6. A network adapter cannot be NAT - only Bridge.
      7. If you are hosting the Linux machine on a Windows host, virtualization must be enabled on the Windows BIOS to allow Virtualization.

      Once you make sure these prerequisites are fulfilled you can move on to the next stage, choosing the Site-to-Site connection type which fits your use case the best. 

      Was this article helpful?

      What's Next