topic Re: Split Tunnel in SASE and Remote Access

Split Tunnel

Juan_Karlo_Cris — Thu, 28 Jun 2018 04:09:48 GMT

Hi Everyone,

Can someone help how to do split tunnel. I want to force the traffic of the VPN user to use their local internet provider when connected to the VPN tunnel so it will not consume the bandwidth of the company.

Thanks

Re: Split Tunnel

Houssameddine_1 — Thu, 28 Jun 2018 14:01:21 GMT

Split tunneling is enabled by default. you don't have to do anything.

Re: Split Tunnel

Gaurav_Pandya — Fri, 29 Jun 2018 12:09:30 GMT

Yeah Correct. Split tunneling is enabled by default for remote VPN users. You need to enable setting if you don't want split tunneling but by default it is enabled.

Re: Split Tunnel

Pedro_Espindola — Fri, 29 Jun 2018 15:05:28 GMT

Hello Juan,

The configuration is done in Global Properties. It is enabled by default. Configure the option "Route all traffic to gateway" to "No".

You can also set it to "Configured on endpoint client", so the user can route everything through gateway to be safer when needed.

Re: Split Tunnel

Sanjay_S — Tue, 02 Jun 2020 09:08:25 GMT

Hi All,

How to add a route in the routing table of the Remote Access VPN user?

Re: Split Tunnel

AndreiR — Tue, 02 Jun 2020 20:48:06 GMT

Hi Sanjay_S,

What's your final goal: to forward traffic to encryption domain or to exclude some traffic from encryption domain?

Are you working in hub mode when all traffic is routed to gateway or in regular mode (split tunnel) when non-encryption domain traffic is not routed to gateway?

Re: Split Tunnel

Sanjay_S — Wed, 03 Jun 2020 07:51:19 GMT

Hi AndreiR,
We are using Split tunnel mode. My goal is to add an additional subnet in the route table of the user machine when connected to Checkpoint endpoint security for a subnet and that should be routed towards Gateway.

Re: Split Tunnel

AndreiR — Fri, 05 Jun 2020 17:56:33 GMT

Hi @Sanjay_S ,

You may manually define VPN domain. Open Smart Console, open properties for specific gateway, go to Network Management –> VPN Domain. There you can select "Manual defined" and specify VPN domain using predefined network objects.

Hope that helps.

Re: Split Tunnel

Itops — Thu, 29 Oct 2020 14:58:50 GMT

if im using splittunnel setup and i would like to have the same rules, that is: a user should not have access to socialmedia when he is at the office and also when he is using splittunnel vpn. what do you suggest in this case?

Re: Split Tunnel

PointOfChecking — Thu, 15 Apr 2021 09:50:23 GMT

I also want to do this. I do not want to enable hub mode, but want to add additional subnet range of a 3rd party website.

I added the external range to my VPN Domain, but still no luck.

I don't even see any blocked packets in the Logs (either before or after the change).

Please help.

Re: Split Tunnel

Sanjay_S — Thu, 15 Apr 2021 13:00:58 GMT

Hi AndreiR,

You just need to add the new subnet in the VPN Domain.

Re: Split Tunnel

PointOfChecking — Thu, 15 Apr 2021 13:39:54 GMT

Thanks! That's worked!! I changed the wrong object at first.

Re: Split Tunnel

alancw — Tue, 20 Sep 2022 21:21:06 GMT

So at the moment I am routing all traffic to the gateway for my vpn set up. I want to only allow office 365 to break out locally on the endpoint. Do I have to turn off hub mode and select "No" to route all traffic to the gateway and just rely on the vpn domain to route traffic into my gateway. hope that makes sense....

Re: Split Tunnel

Chris_Atkinson — Tue, 20 Sep 2022 23:06:36 GMT

Have you reviewed sk167000 for your use case?

Re: Split Tunnel

alancw — Wed, 21 Sep 2022 12:12:05 GMT

Nice one thanks very much for that Chris. 👍

Re: Split Tunnel

alancw — Wed, 21 Sep 2022 21:49:31 GMT

Hi Chris, I used this SK tonight on our environment but it totally broke traffic going over the remote access vpn for some reason.

The IP Addresses for office 365 did route out the broadband which was all good. But all traffic back to the firewalls did not work.

Re: Split Tunnel

Chris_Atkinson — Wed, 21 Sep 2022 23:14:48 GMT

Do you try using ANY and or ALL INTERNET when configuring your group with exclusions?

Other than trying these alternatives I would suggest diagnosing further with the TAC.

Re: Split Tunnel

alancw — Mon, 03 Oct 2022 10:35:49 GMT

Yeah I tried to use "ANY" and I created a "ALL INTERNET" 0.0.0.0/0 to test but i only got some internal subnets working which is really weird. Do you know of any file on the manager that sends out the encryption domain to the client? that contains the subnets to encrypt?

thanks

Alan

Re: Split Tunnel

Chris_Atkinson — Mon, 03 Oct 2022 10:45:36 GMT

What Endpoint client version is used here?

To further expedite this I would recommend contacting TAC as above.

Re: Split Tunnel

alancw — Tue, 21 Feb 2023 22:56:40 GMT

Onto TAC now for the last 3 months, with no sign of fixing the issue that I have. has anyone else had this sort of issue before? Was there any way around this?