topic Re: Split tunnel to Microsoft Office 365 / YouTube / or other services based on FQDNs in SASE and Remote Access

Split tunnel to Microsoft Office 365 / YouTube / or other services based on FQDNs

Sky — Sat, 28 Mar 2020 01:14:46 GMT

Hi all,

Is it actually possible to configure VPN RA in the default mode (split tunnel) but adding to the unsecured way the cloud services or anything else based on FQDN?

I am thinking of the R80.30 actually. I see Cisco called it Dynamic Split Tunneling and it seems it is something handled from their side. Is Checkpoint able to do the same in this moment?

Thanks to anybody for the feed backs in advance.

Regards,

Re: Split tunnel to Microsoft Office 365 / YouTube / or other services based on FQDNs

Vladimir — Sat, 28 Mar 2020 13:43:25 GMT

Perhaps I am not reading your question right, but this is what should be happening by default:

When split tunnel is enabled, all traffic NOT addressed to the "Remote Access encryption domain" gateway's object properties should go via "Unsecured" channel regardless, so there is no need to define the O365, Youtube, etc. Dynamic objects for RA VPN policy.

Re: Split tunnel to Microsoft Office 365 / YouTube / or other services based on FQDNs

Sky — Sat, 28 Mar 2020 14:13:45 GMT

Thank you Vladimir for your reply.
Actually I might have not expressed myself clear.

I will try the other way around, I need to pass all traffic to the GW except for the cloud based and intensive bandwidth (YouTube and similar services). Since the IP addresses changes for those services, would be great to use domains (FQDN).

Cisco has Dynamic Split Tunneling using FQDN as an attribute. Does checkpoint has something similar in this moment or if not, do they have this on their road-map anytime soon?

Sorry for the confusing first post, I hope this is more clear on what the achievement is.

Regards!

Re: Split tunnel to Microsoft Office 365 / YouTube / or other services based on FQDNs

PhoneBoy — Sat, 28 Mar 2020 19:36:48 GMT

I think what you're trying to do is "route all traffic" over VPN but not for things like O365.
The encryption domain (what controls what is sent over the VPN) is fixed and doesn't support things like Updatable Objects or definition by FQDN.
I recommend engaging with your local Check Point office regarding this.

Re: Split tunnel to Microsoft Office 365 / YouTube / or other services based on FQDNs

Cyber_Serge — Sat, 28 Mar 2020 20:36:07 GMT

I had similar question too. Looking at some old thread:
https://community.checkpoint.com/t5/Remote-Access-Solutions/Split-Tunnel/td-p/34675

I guess Check Point setting is to enabled split tunneling by choosing not to route all traffic to gateway. Then define which specific traffic need to be in the tunnel? (Thus, excluding other traffic such as Offie365....etc?)

Re: Split tunnel to Microsoft Office 365 / YouTube / or other services based on FQDNs

PhoneBoy — Sat, 28 Mar 2020 21:24:11 GMT

My opinion: it's better to do whatever kind of filtering/logging you wish to do on the traffic at the client rather than route everything back to a central point to do it.
That will provide better protection/visibility in the long run.

I believe this is something we are working on as part of SandBlast Agent.