https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255111#M42869 <P>Hi Check Point experts,</P><P>Since the customer switched from Palo Alto to Check Point a year ago, they have been consistently dissatisfied with the SSL VPN functionality. Recently, they raised another feature that they previously achieved on PA — as stated in the subject: “Is it possible to assign specific routes to certain users or user groups?”</P><P>The customer provided me with a screenshot showing their previous configuration on PA. I’m unsure whether Check Point can implement this functionality, or if there are other Check Point products that can meet the customer’s needs.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="messageImage_1755128782778.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31220i4EB91967955114EB/image-size/large?v=v2&amp;px=999" role="button" title="messageImage_1755128782778.jpg" alt="messageImage_1755128782778.jpg" /></span></P><P>&nbsp;</P><P>I would appreciate any advice from the experts.</P> Thu, 14 Aug 2025 01:43:58 GMT Vanness_Chen 2025-08-14T01:43:58Z https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255111#M42869 <P>Hi Check Point experts,</P><P>Since the customer switched from Palo Alto to Check Point a year ago, they have been consistently dissatisfied with the SSL VPN functionality. Recently, they raised another feature that they previously achieved on PA — as stated in the subject: “Is it possible to assign specific routes to certain users or user groups?”</P><P>The customer provided me with a screenshot showing their previous configuration on PA. I’m unsure whether Check Point can implement this functionality, or if there are other Check Point products that can meet the customer’s needs.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="messageImage_1755128782778.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31220i4EB91967955114EB/image-size/large?v=v2&amp;px=999" role="button" title="messageImage_1755128782778.jpg" alt="messageImage_1755128782778.jpg" /></span></P><P>&nbsp;</P><P>I would appreciate any advice from the experts.</P> Thu, 14 Aug 2025 01:43:58 GMT https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255111#M42869 Vanness_Chen 2025-08-14T01:43:58Z https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255112#M42870 <P>Which remote access client/method are they using for SSL VPN? If it's client based then I think we don't have anything other than the global encryption domain. If they're doing clientless SSL VPN via Mobile Access portal, then the closest thing we have is Native Applications that can allow access to specific network ranges per user.&nbsp;</P> <P>I don't know if Harmony SASE provides anything along these lines.</P> Thu, 14 Aug 2025 03:42:25 GMT https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255112#M42870 emmap 2025-08-14T03:42:25Z https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255114#M42871 <P>Hi Emmap:</P><P>Thank you for your reply.</P><P><BR />The customer has used both methods, but this requirement is mainly intended to be implemented by configuring it on clientless SSL VPN. Since the users for this requirement must connect in <EM>Network Mode</EM> to function properly, <EM>Application Mode</EM> is not being considered by the customer.</P> Thu, 14 Aug 2025 03:53:25 GMT https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255114#M42871 Vanness_Chen 2025-08-14T03:53:25Z https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255115#M42872 <P>OK, so if I'm understanding this right, Native Applications will provide per-user access to specific hosts or subnets on specific services. See:</P> <P><A href="https://sc1.checkpoint.com/documents/SSL_Network_Extender_AdminGuide/Content/Topics-SNX-Admin-Guide/SNX-for-MAB-Endpoint-Native-Apps.htm?tocpath=SSL%20Network%20Extender%20(SNX)%20for%20Mobile%20Access%7CEndpoint%20Native%20Applications%7C_____0" target="_blank">https://sc1.checkpoint.com/documents/SSL_Network_Extender_AdminGuide/Content/Topics-SNX-Admin-Guide/SNX-for-MAB-Endpoint-Native-Apps.htm?tocpath=SSL%20Network%20Extender%20(SNX)%20for%20Mobile%20Access%7CEndpoint%20Native%20Applications%7C_____0</A></P> Thu, 14 Aug 2025 04:30:30 GMT https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255115#M42872 emmap 2025-08-14T04:30:30Z https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255118#M42874 <P>Hi Emmap:</P><P>I would like to provide additional context for this requirement. The users in question are the customer’s vendor partners, who want to be able to access their own local network’s internal services while connected to the customer’s VPN. However, since the customer’s VPN Domain is defined as 10.0.0.0/8, once the users connect to the VPN, their traffic is routed into the VPN network, preventing them from accessing their own local internal services.</P> Thu, 14 Aug 2025 06:13:48 GMT https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255118#M42874 Vanness_Chen 2025-08-14T06:13:48Z https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255126#M42877 <P>OK, I think I understand. In older versions (using what is now Legacy Mobile Access policy), the encryption domain is the set of authorised locations configured in the applications allowed to a user. When utilising the Unified policy setup, the users all get the encryption domain configured on the gateway.&nbsp;</P> <P>This method of encryption domain per user group may still work to provide what you're after.&nbsp;</P> <P><A href="https://support.checkpoint.com/results/sk/sk32111" target="_blank">https://support.checkpoint.com/results/sk/sk32111</A></P> <P>&nbsp;</P> Thu, 14 Aug 2025 07:27:41 GMT https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255126#M42877 emmap 2025-08-14T07:27:41Z https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255128#M42879 <P>Hi Emmap:</P><P>Thank you for providing the SK. I believe this should be able to address the customer’s requirement.</P><P>However, the customer is currently using a Unified Policy. If we want to apply the configuration described in the SK, will it be necessary to switch to a Legacy Policy?</P><P>Will making this adjustment affect users who are using the Endpoint Agent?</P><P>I think I will need to set up a LAB and also get assistance from TAC.<BR />All in all, I really appreciate your suggestion.</P> Thu, 14 Aug 2025 07:53:26 GMT https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255128#M42879 Vanness_Chen 2025-08-14T07:53:26Z https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255197#M42887 <P>I believe the configuration in the SK will apply to Unified Policy deployments, but I have not tried it so testing in a lab environment would be good if that's feasible. Let us know how you go with it!</P> Fri, 15 Aug 2025 01:57:32 GMT https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-Can-specific-routes-be-assigned-to-particular/m-p/255197#M42887 emmap 2025-08-15T01:57:32Z