Thought I'd share some of our experiences with SASE so far.
1. Secure connect breaks dashboard.
Not long after implementing secure connect tunnels, our switches went dark - Literally dark. We couldn't see any activity, whether stuff was connected or not. Support initially thought it was a failed switch, but as it was happening in every single site with a secure connect, we disagreed. The solution was to add the dashboard ranges to the VPN exception rules, which brought everything back to life. Have raised with the onboarding team, as it should surely either NOT break dashboard traffic by going through the tunnel, or be an exception by default.
The dashboard rules also fixed a problem with Access points complaining about their regulatory domains being incorrect (because they're routing through SecureConnect DC's and appear to have changed country).
2. Hubs not supported
We've a fairly classic hub and spoke auto VPN setup at the moment, with our hub site having a VPN concentrator. SASE currently doesn't support hubs. Its apparently coming, but right now, this has stopped our roll out.
3. MTU on VPN tunnels
We have some internal security boxes that VPN out of the network to a DC. These broke. The support discovered that the MTU size was set to 1280, which was halting communication. Once again, the fix was to add these to "bypass VPN tunnel" list.
The other frustration is that VPN exception rules ONLY (and despite what the GUI says) allows CIDR ranges, not Hostnames.
Trying to remain positive, but there seems to be a lack of joined up thinking - The dashboard rules is an absolute own goal. I'm sure I can't be the only company that would like to be able to route traffic over internal VPN's to our DC, rather than through secure connect VPN's to our DC?