Skip to main content

Managing Secure Networks

Published on:
.
2 min read

Zenarmor SASE edition enable you to establish secure private networks within your organization. The Zenarmor private network is a mesh virtual private network (VPN).

The primary advantage of the Zenarmor private network over traditional virtual private networks is its simplicity, speed and performance. Zenarmor provides a scalable, secure, and performance-optimized framework for managing remote access. Unlike conventional VPN solutions, Zenarmor does not require routing network packets through a data center or point of presence (POP) location. This approach reduces latency and eliminates the inefficiencies of centralized routing, resulting in a smoother and faster experience for end users.

Another advantage of Zenarmor SASE is the zero trust mentality. All connections are denied unless it’s explicitly allowed via policy. Policy rules are fully context aware and can enforce based on a number of advanced criteria like user, group, location, application etc.

Zenarmor enables organizations to quickly extend their coverage across multiple locations without the need to duplicate hardware infrastructure. This flexibility makes it an excellent choice for enterprises managing global operations, branch offices, and a remote or hybrid workforce. Whether deployed in a public cloud, on-premises data center, on edge devices, or as a hybrid solution, Zenarmor offers a level of scalability that traditional VPNs often struggle to achieve in modern enterprise environments.

Zenarmor's secure private networks are managed through a central cloud management portal called Zenconsole. This powerful tool streamlines configuration, simplifies policy updates, and enhances user onboarding, enabling you to scale your network effortlessly.

Managing Zenarmor secure private networks is incredibly easy and efficient. You can simply manage your secure networks by following the 3 main steps.

  1. Create your micro-segmented secure private networks within your organization.
  2. Add peers, whether they’re gateways or endpoints.
  3. Tailor your access control through intuitive private network policies, including advertised networks and failover priorities, and let Zenarmor take care of the rest.

In just seconds, your micro-segmented mesh networks will be fully operational, providing robust security and connectivity.

Creating Secure Private Networks

You may easily create private networks by following these steps.

  1. Login Zenconsole.

  2. Select the organization that you want to manage.

  3. Navigate to Secure Networks page on Zenconsole.

  4. Click on the + Create Overlay Network button. This will pop up a dialog box for overlay network settings.

    Figure 1. Secure Networks Page

  5. Type a descriptive name for the Network Name.

  6. Type a descriptive name for the Network Slug.

  7. Specify the IPv4 Address Range in CIDR format.

    warning

    Please be aware that assigning a private IP address (such as RFC1918) may trigger DNS rebinding protection mechanisms in browsers and network security systems. This can lead to access being blocked or resolution failures occurring. Public DNS servers should not resolve to private IP ranges (for example, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

    If you need to use non-public addresses, there are two recommended approaches:

    1. Utilize CGNAT address space (100.64.0.0/10) instead of RFC1918 ranges. This can help avoid DNS rebinding protection issues while still allowing the use of non-public IPs.

    2. Set up your own private DNS server for internal resolution.

    If you plan to use RFC1918 addresses, ensure they are not used within your internal networks.

    Figure 2. Create Overlay Network

  8. Click Create button. This will seamlessly establish a private and secure network tailored for your organization. You will then see the overlay network configuration page, ready for your customization.

    Figure 3. Secure Network Settings Page

You may create multiple secure private networks within your organization. You'll find a complete list of all your private networks conveniently displayed on the left side of the Secure Networks page, making management effortless and efficient.

Figure 4. Secure Networks List

Managing Peers

Zenconsole allows you to manage secure private network peers, endpoints, or gateways. You may perform the following tasks on these peers.

  • Adding EndPoint Peers

  • Adding Gateway Peers

  • Removing Peers

  • Viewing Peers

  • Updating Peer Settings

  • Searching Peers

Adding EndPoint Peers

You may add an endpoint device to your secure private network as a peer by following the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the private network to which you want to add an endpoint peer.

  3. Locate the Peers pane on the selected secure network page.

  4. Click + Add Endpoint button. This will display available endpoints in your organization. You may use Search tool to find a specific endpoint quickly.

  5. Select the endpoint you want to add.

  6. You may add as many endpoints as you want. All added endpoints will appear in the Peers pane. A message box will appear at the bottom right of the page for configuration updates.

    Figure 5. Add Endpoint to Overlay

  7. Click Sync Now button for an immediate configuration update on all instances.

    Figure 6. Configuration Updated - Sync Now Popup

Adding Gateway Peers

You may add a gateway device to your secure private network as a peer by following the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the private network to which you want to add a gateway peer.

  3. Locate the Peers pane on the selected secure network page.

  4. Click + Add Gateway button. This will display available gateways in your organization. You may use Search tool to find a specific gateway quickly.

  5. Select the gateway you want to add.

  6. You may add as many gateways as you want. All added gateway peers will appear in the Peers pane. A message box will appear at the bottom right of the page for configuration updates.

    Figure 7. Add Gateway to Overlay

  7. Click Sync Now button for an immediate configuration update on all instances.

    Figure 8. Configuration Updated - Sync Now Popup

Removing Peers

You may easily remove a peer from a secure private network by following the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the private network from which you want to remove a peer.

  3. Locate the Peers pane on the selected secure network page.

  4. Locate the peer that you want to remove. You may use the search toolbox to find a peer.

  5. Click Actions menu with the 3-dot icon. This will open a drop-down menu.

    Figure 9. Remove Peer from Overlay

  6. Click Remove button to delete the selected peer from the secure private network. This will display a notification window for confirmation.

  7. Click Remove to approve the peer deletion. A message box will appear at the bottom right of the page for configuration updates.

  8. Click Triger Update button for an immediate configuration update on all instances.

Viewing Peers

Zenconsole allows you to view all peers approved to connect to a secure private network from a single point of view.

You may view all peers in a secure private network by following the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the private network on which you want to view a peer.

  3. Locate the Peers pane on the selected secure network page.

The following peer details are displayed.

  • Peer Name

  • Slug

  • Overlay IP

  • Actions

    Figure 10. Peers List Sorted by Overlay IP

tip

You can sort peers by their names and IP addresses. Click on the Peers or Overlay IP column to arrange the peers in either ascending or descending order.

Updating Peer Settings

Zenconsole allows you to update the IP address of a secure private network peer or add an advertised network for a gateway peer manually. You may update these peer settings by following the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the private network on which you want to view a peer.

  3. Locate the Peers pane on the selected secure network page.

  4. Locate the peer that you want to update. You may use the search toolbox to find a peer.

  5. Click Actions menu with the 3-dot icon. This will open a drop-down menu.

    Figure 11. Access Peer Settings

  6. Click Settings button to edit the selected secure private network peer. The peer settings window will appear on the right side of the page.

    Figure 12. Peer Settings

  7. You may type the new Overlay IP Address.

  8. You may click + Add network button to define Advertised Networks, which will be routed by the gateway peer. This will open a dialog box.

  9. Type the network address that will be advertised by the gateway peer.

    Figure 13. Add Advertised Network

  10. Click Add button. A message box will appear at the bottom right of the page for configuration updates.

  11. Click Triger Update button for an immediate configuration update on all instances.

Searching Peers

Zenconsole enables you to seek a peer by its peer name, email address, or IP address. To locate a peer in your peers' list, enter their name or email address into the search field. This will automatically update the peers list below, and the peer you are seeking will be displayed.

Figure 14. Searching Peer

Managing Advertised Networks & Failover Priority on Gateway Peers

Advertised networks define what is reachable, while failover priority defines how traffic behaves during failures. Together, they form the foundation of Zenarmor’s automatic failover mechanism.

If you are new to automatic failover or want to understand the underlying concepts and benefits, we recommend reading the following guide first: Automatic Failover for Advertised Networks

The following sections describe how to add, remove, and manage advertised networks, as well as assign failover priority using Zenconsole.

Before proceeding with the failover configuration, ensure that a secure private network already exists. Automatic failover operates only within a private network where gateway peers can communicate and advertise routes.

note

If you have not yet created a secure private network or added peers, refer to the following documentation: Creating Secure Private Networks, Managing Peers (Gateways and Endpoints)

Adding Advertised Networks on Gateway Peers

Advertised networks define which internal subnets (LANs) are reachable through a gateway. These are the networks that Zenarmor will route traffic to and protect.

Follow the steps below to enable and configure automatic failover:

  1. Log in to your Zenconsole account.

  2. Navigate to Secure Networks from the left-hand menu.

  3. Click the Secure Network you want to configure (e.g., My Private Network).

    Figure 15. Selecting a Secure Network for Configuration

  4. Ensure that at least two gateway peers are added to the same secure private network.

    note

    Endpoints may exist in the private network, but do not participate in failover, as failover decisions are made only between gateway peers.

  5. In the Peers list, click on a gateway.

  6. The Peer Settings panel opens on the right-hand side of the screen.

  7. Under Advertised Networks, click Add Network.

    Figure 16. Peer Settings Page

  8. An Add Advertised Network pop-up appears.

  9. Enter the internal network that exists behind this gateway (for example: 192.168.1.0/24 or 10.10.10.0/24).

  10. Click Add to save the network.

    Figure 17. Add Advertised Network Popup

    tip

    A single gateway can advertise multiple internal networks if it routes traffic to more than one internal subnet.

  11. Repeat this step for all gateway peers that should advertise the same network range.

  12. After the addition, a Peer settings has been updated success notification appears.

    Figure 18. Success Popup

  13. Also, a Configuration Updated notification appears in the bottom-right corner. You can click Sync Now to immediately synchronize the configuration across all gateway instances, or wait for the automatic synchronization, which runs every 15 minutes.

    Figure 19. Configuration Updated - Sync Now Popup

After synchronization, the advertised networks and their associated gateway peers become visible in the Advertised Networks & Failover Priority section below.

From this section, you can review which gateways advertise each network and configure or update failover priorities as needed.

Figure 20. Advertised Networks & Failover Priority List View

Removing Advertised Networks from a Gateway

Advertised networks can be removed at any time if they are no longer reachable through a gateway or no longer required for routing and failover. To remove an advertised network, follow the steps below:

  1. Log in to your Zenconsole account.

  2. Navigate to Secure Networks from the left-hand menu in Zenconsole.

  3. Click the Secure Network you are working with (for example, My Private Network).

  4. Scroll down to the Advertised Networks & Failover Priority section.

  5. Locate the gateway peer that advertises the network you want to remove.

  6. Click on the gateway peer entry in the list. The Peer Settings panel opens on the right-hand side of the screen.

  7. Under Advertised Networks, locate the network you want to remove.

  8. Click the × (remove) icon next to the advertised network.

    Figure 21. Removing Advertised Networks from a Gateway

  9. After the removal, a Peer settings has been updated success notification appears.

  10. Also, a Configuration Updated notification appears in the lower-right corner of the screen. You can click Sync Now to immediately synchronize the changes across all gateway instances, or wait for the automatic synchronization, which runs every 15 minutes.

Once removed, the network is no longer reachable through this gateway and is excluded from routing and failover decisions.

Assigning Failover Priority

Failover priority determines which gateway is preferred when multiple gateways advertise the same network.

It defines how traffic should behave during gateway failures and is a key component of Zenarmor’s automatic failover mechanism.

  • Higher priority → Preferred (primary) gateway

  • Lower priority → Fallback (secondary) gateway

tip

Failover priority becomes effective only after the same network is advertised by multiple gateways. If a network is advertised by a single gateway, failover does not apply.

To assign failover priority to a gateway, follow the steps below:

  1. Log in to your Zenconsole account.

  2. Navigate to Secure Networks from the left-hand menu.

  3. Click the Secure Network you are working with (for example, My Private Network).

  4. Scroll down to the Advertised Networks & Failover Priority section.

  5. Locate the gateway peer that advertises the target network.

  6. Click on one of the gateway peers in the list. The Peer Settings panel opens on the right-hand side of the screen.

  7. Just below the Advertised Networks section, locate Failover Priority.

    Figure 22. Assigning Failover Priority

  8. Click Set priority… and assign a numeric value:

  • Primary gateway → Set a higher priority (for example, 1)

  • Secondary gateway → Set a lower priority (for example, 2)

  1. Repeat this step for all gateways advertising the same network, ensuring that each gateway has a distinct priority.

  2. The change is saved automatically, and a success notification appears indicating Failover priority has been saved.

  3. Also, a Configuration Updated notification appears in the lower-right corner of the screen. You can click Sync Now to immediately synchronize the changes across all gateway instances, or wait for the automatic synchronization, which runs every 15 minutes.

After assigning priorities, Zenarmor continuously monitors gateway health and automatically reroutes traffic when a failure is detected.

Once the configuration is synchronized, the updated failover priorities are reflected in the Advertised Networks & Failover Priority table, where you can review and modify gateway priorities at any time.

Figure 23. Viewing Failover Priority

tip

Failover priority can be adjusted at any time. Changing priorities does not require re-advertising networks and takes effect as soon as the configuration is synchronized.

Searching and Filtering Advertised Networks

As environments grow, multiple gateways and advertised networks may appear in the list. Zenconsole provides filtering and search options to help you quickly locate specific advertised networks or gateway peers.

These tools improve visibility and make managing failover configurations easier.

To filter or search advertised networks, follow the steps below:

  1. Log in to your Zenconsole account.

  2. Navigate to Secure Networks from the left-hand menu.

  3. Click the Secure Network you are working with.

  4. Scroll down to the Advertised Networks & Failover Priority section.

  5. To search, use the Search field to find a specific gateway peer by name. The list updates dynamically as you type.

    Figure 24. Searching Advertised Networks

  6. To filter the displayed networks, click All Advertised Networks in the upper-right corner of this section.

  7. Select the advertised network you want to view from the dropdown list.

  8. The table updates to display only the gateway peers advertising the selected network.

    Figure 25. Filtering Advertised Networks

Filtering and search help you quickly identify gateways with missing or misconfigured failover priorities, making it easier to review and adjust failover behavior when managing multiple advertised networks.

Viewing Gateway Overlay Status

Zenconsole allows you to view the connection status and overlay network details of a gateway peer by following the steps below.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. In the left sidebar, click Gateway Overlay Status to expand the gateway list.

  3. From the expanded list, select the gateway peer. This will display the secure private network connection status of the selected gateway. You may view the following details.

    • Coordinator Server
    • Relay Server
    • Overlay Networks

    Figure 26. Gateway Overlay Status Page

Viewing Coordinator Server

Zenarmor's coordinator server initiates connections between peers in secure private networks. The details can be viewed in the Coordinator Server pane.

  • Status: This field shows the connection status between your gateway and the coordinator server. When your gateway is successfully connected to a secure network, this Status field will display as Connected. If your gateway fails to connect to the secure private network, it will show as Not Connected.
  • Location: This field displays the location of the Coordinator Server. The Zenarmor coordinator server is located in North Charleston, United States.

Figure 27. Viewing Coordinator Server

Viewing Relay Server

The Zenarmor relay server behaves as a proxy server between the peers when they cannot communicate with each other directly. In such cases, secure private network peers connect through the nearest Zenarmor relay server. The details can be viewed in the Relay Server pane.

  • Status: This field shows the connection status between your gateway and the relay server. When your gateway is successfully connected to a secure network, this Status field will display as Connected. If your gateway fails to connect to the secure private network, it will show as Not Connected.
  • Location: This field displays the location of the Relay Server. Zenarmor provides 5 relay servers located in different regions of the world, like the United States, Europe, and Asia. Peers should connect to the nearest relay server.
  • RTT: The time gateway takes to get a response from the relay server after initiating a network request.

Figure 28. Viewing Relay Server

Viewing Overlay Networks

The Overlay Networks pane lists the secure private networks that the selected gateway is a member of, along with high-level network details.

The following information is displayed for each overlay network:

  • Secure Private Network Name: The name of the secure private network is displayed.
  • Secure Private Network IP Range: The IP address range used for the overlay network is displayed under the name of the overlay network.
  • Overlay IP Address: The secure private network IP address of the Gateway is displayed.

Viewing Overlay Networks Details

Secure Networks page allows you to view the status of the connections between your gateway and other peers in a secure private network. You may view the secure private network details by following the next steps.

  1. Select a gateway from Gateway Overlay Status in the left sidebar.

  2. Locate the desired secure private network in the Overlay Networks pane.

  3. Click on the Show Details button next to the secure private network.

This action displays all peers in the selected secure private network along with their connection status to the gateway.

The peer list includes the following details:

  • Peer: This field displays the name of the peer.
  • Connection Status: This field displays the status of the connection between your gateway and the peer. When they are connected, the duration of the active connection appears.
  • RTT (Round Trip Time): The time gateway takes to get a response from the peer initiating a network request.
  • Connection Type: Connection type between the peers. Available transport types are as follows.
    • Relay: Peers communicate with each other via a relay server hosted by Zenarmor.
    • P2P: Peers directly communicate with each other over an encrypted tunnel.
    • Local: Peers have a LAN connection between each other and communicate via this local network
  • Location: Geo IP location of the peer.
  • IP Address: Overlay IP address of the peer.

Figure 29. Viewing Overlay Network Details

You may view the details of a selected peer by clicking on the Show Details button under the Actions column. This will display the Peer Details window on the right side of the page.

Figure 30. Viewing Peer Details

Peer Details window includes the following information about the peer pairs.

  • Name: Name of the peer.
  • Hostname: Hostname of the peer.
  • Overlay Ip: Secure private network IP address of the peer.
  • Is Pop: This option indicates whether the peer is operating as a Point of Presence (POP). (Coming soon)
  • Is Endpoint: This option indicates whether the peer is an endpoint device.
  • Advertised Networks: Displays the networks advertised by the gateway.
  • Transport Type: Connection type between the peers. Available transport types are as follows.
    • Relay: Peers communicate with each other via a relay server hosted by Zenarmor.
    • P2P: Peers directly communicate with each other over an encrypted tunnel.
    • Local: Peers have a LAN connection between each other and communicate via this local network.
  • Awaiting Signal: This option shows whether the peer has a connection with the coordinator server. It has a value of true when the peer is not responsive.
  • Established At: The moment when the gateway is connected to the peer.
  • Handshake Duration (ms): The time the handshake takes between the peers.
  • RTT (ms): The time it takes to get a response from the corresponding peer after initiating a network request.
  • Rflx Ip: Public IP address of the peer.
  • Geo Lat: Latitude value of the GEO IP for the peer.
  • Geo Lon: Longitude value of the GEO IP for the peer.
  • Geo Country Code: Country code of the GEO IP for the peer.
  • Geo Country: Country of the GEO IP for the peer.
  • Geo City: City of the GEO IP for the peer.
  • Self Session: Session ID of the peer.
  • Peer Session: Session ID of the other peer.

Adding/Removing Users and Groups

Zenconsole enables you to define which users and groups are allowed to connect to your secure private network. You can manage overlay network membership by adding individual users or groups. Any endpoint devices that these users have previously added, as well as those they will add in the future, will be integrated into this overlay network.

Adding Users to an Overlay Network

To add users to an overlay network, you may follow the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the secure private network to which you want to add a user.

  3. Scroll down the page to reach the Overlay Network Membership section and locate the Users pane.

  4. Click + Add User button. This will display available users in your organization. You may use Search tool to find a specific user quickly.

  5. Select the user you want to add.

    Figure 31. Adding User

  6. Repeat these steps to add additional users. All added users are displayed in the Users pane.

    Figure 32. Approved Private Network Users

Removing Users from an Overlay Network

To remove a user from an overlay network, you may follow the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the private network from which you want to remove a user.

  3. In the Users pane under Overlay Network Membership, locate the user you want to remove.

  4. Click X icon next to the user. This will display a notification window for confirmation.

  5. Click Remove to delete the user from the overlay network.

    Figure 33. Delete User from Overlay Network

Adding Groups

To add groups to an overlay network, you may follow the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the secure private network to which you want to add a group.

  3. Scroll down the page to reach the Overlay Network Membership section and locate the Groups pane.

  4. Click + Add Group button. This will display available groups in your organization. You may use Search tool to find a specific group quickly.

  5. Select the group you want to add.

    Figure 34. Add Group to Overlay

  6. You may add as many groups as you want. All added groups will appear in the Groups pane.

    Figure 35. Approved Private Network Groups

Removing Groups

To remove a group from an overlay network, you may follow the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the secure private network from which you want to delete a group.

  3. In the Groups pane under Overlay Network Membership, locate the group you want to remove.

  4. Click X icon next to the group. This will display a notification window for confirmation.

  5. Click Remove to delete the group from the overlay network.

    Figure 36. Delete Group from Overlay

Deleting Private Secure Networks

To remove an overlay network from your organization, you may follow the next steps.

  1. Navigate to Secure Networks page of an organization on Zenconsole.

  2. Select the private network that you want to delete.

  3. Scroll down to the Delete Overlay Network pane.

  4. Click Delete Overlay Network button. This will display a dialog box for confirmation.

    Figure 37. Delete Overlay-Network

  5. Type the network name to approve the removal of the private network.

    Figure 38. Delete Overlay Network Confirmation

  6. Click Delete Overlay Network button. A message box will appear at the bottom right of the page for configuration updates.

  7. Click Triger Update button for an immediate configuration update on all instances.

tip

Deleting a secure private network from your organization will also remove all users, groups, and peers from this overlay network.

Last updated on by Zenarmor