https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277629#M14520 <P>Hi All,</P><P>We have a checkpoint firewall operating on R82 with remote access VPN functionality activated. We have set up a Full tunnel (Hub mode) with Dynamic Split tunneling (where only a few IP addresses are excluded), utilizing the object-group: <STRONG>exclusions_</STRONG></P><P>Upon examining the route print on the user machine, we observed that a default route has been injected with the mask 252.0.0.0. Consequently, we encountered an issue where, for the proxy solution to recognize the VPN network, it must align with the strict default route of 0.0.0.0 with a mask of 0.0.0.0.</P><P>1. What steps are necessary to insert a default route with the mask 0.0.0.0?</P><P>2. Given that we have dynamic split tunneling enabled, could this lead to any connectivity problems?</P><P>Thank you in advance for your help.</P> Sat, 30 May 2026 04:07:29 GMT SriNarasimha005 2026-05-30T04:07:29Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277629#M14520 <P>Hi All,</P><P>We have a checkpoint firewall operating on R82 with remote access VPN functionality activated. We have set up a Full tunnel (Hub mode) with Dynamic Split tunneling (where only a few IP addresses are excluded), utilizing the object-group: <STRONG>exclusions_</STRONG></P><P>Upon examining the route print on the user machine, we observed that a default route has been injected with the mask 252.0.0.0. Consequently, we encountered an issue where, for the proxy solution to recognize the VPN network, it must align with the strict default route of 0.0.0.0 with a mask of 0.0.0.0.</P><P>1. What steps are necessary to insert a default route with the mask 0.0.0.0?</P><P>2. Given that we have dynamic split tunneling enabled, could this lead to any connectivity problems?</P><P>Thank you in advance for your help.</P> Sat, 30 May 2026 04:07:29 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277629#M14520 SriNarasimha005 2026-05-30T04:07:29Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277670#M14521 <P>Hi Gents&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;</P><P>Hope you're doing well.</P><P>I’m currently stuck on this and need some help. Do you have a few minutes to give me your advice?</P> Mon, 01 Jun 2026 11:41:19 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277670#M14521 SriNarasimha005 2026-06-01T11:41:19Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277697#M14522 <P>I don't believe we ever inject a 0.0.0.0/0.0.0.0 route into the Remote Access client, which means this is likely an <A href="https://support.checkpoint.com/results/sk/sk71840" target="_self">RFE</A>.</P> <P>The only method I know for configuring the routes sent to the client is through the encryption domain or something like&nbsp;<A href="https://support.checkpoint.com/results/sk/sk92676" target="_blank">https://support.checkpoint.com/results/sk/sk92676</A>&nbsp;which is not your use case here.<BR />The only method I can think of is to set this route up AFTER connecting with the Remote Access client.</P> Mon, 01 Jun 2026 18:47:27 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277697#M14522 PhoneBoy 2026-06-01T18:47:27Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277704#M14523 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;</P><P>Thank you for your response. The encryption domain is set to 0.0.0.0/0 with few exclusions.</P><P>Given that we have several VPN firewalls, implementing a static route may not be effective. Is there a possibility of altering the trac file?</P> Tue, 02 Jun 2026 03:08:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277704#M14523 SriNarasimha005 2026-06-02T03:08:30Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277768#M14528 <P>Modify trac to do what, inject a 0.0.0.0/0.0.0.0 route?<BR />Like I said, that's probably an <A href="https://support.checkpoint.com/results/sk/sk71840" target="_blank">RFE</A> (i.e. not in the product).</P> <P>The static route I'm referring would have to be done on the client itself.<BR />Nearly 20 years ago, I actually wrote a Windows BAT file that would automate the process of creating a desired route based on what comes back from the VPN gateway:&nbsp;<A href="https://phoneboy.com/1405/fun-with-check-point-secureclient-and-windows-batch-files" target="_blank">https://phoneboy.com/1405/fun-with-check-point-secureclient-and-windows-batch-files</A><BR />Whether this still works or not is a separate question.</P> Tue, 02 Jun 2026 15:40:34 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Dynamic-Split-Tunneling/m-p/277768#M14528 PhoneBoy 2026-06-02T15:40:34Z