topic Re: Different configs for different VPN groups? in SASE and Remote Access

Different configs for different VPN groups?

VikingsFan — Thu, 03 Jul 2025 14:19:22 GMT

I can't find where I saw it one time and may be thinking of a different file but is there a way to push different trac_client_1.ttm configs depending on the VPN group they're in? Use case is we're checking out dynamic split vpn tunneling and I'm thinking about pushing different trac_client_1.ttm files to turn on/off the split tunnel flag depending on their group.

Maybe it was a different file related to VPN but I thought it was something like adding a _GROUPNAME after the file and it would load depending on their group. Am I thinking of a different file and is there any documentation on this? So far can't find what I'm thinking of.

This is the split tunnel doc we're following: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Dynamic-Split-Tunneling-for-SaaS.htm

Re: Different configs for different VPN groups?

Khairulanam — Mon, 07 Jul 2025 03:46:43 GMT

Hi VikingsFan,

You might want to look at the sk114882. The setting that you are looking for is "neo_route_all_traffic_through_gateway" in the ttm file.

Re: Different configs for different VPN groups?

VikingsFan — Mon, 07 Jul 2025 13:16:48 GMT

Morning,

I ran across that article also and yes is exactly what I was looking for, thanks! My plan is to have like a ttm_vendor group which will have our regular full-vpn settings and then the trac_client_1.ttm will have the "split_tunnel" configuration and set to "true".

The only thing I'm not clear on is if we can use our existing vpn groups. Say I have a VPN-VENDOR AD group, can it be part of the TTM_VENDOR group and get applied correctly or membership must be direct? Will test it but in case someone knows off hand.

Thanks!

Re: Different configs for different VPN groups?

Khairulanam — Mon, 07 Jul 2025 13:39:33 GMT

Yes, you can. Just make sure the group name starts with "ttm_", in your case, ttm_VENDOR. I haven't tried configuring the ttm with capital letters, though, but you may try and see if it still works.

In my opinion, since you already have an existing VPN-VENDOR group, why don't you rename it with the new name instead of creating a new group? It will be much easier since you do not need to add any new policy for that new group.

Re: Different configs for different VPN groups?

VikingsFan — Mon, 07 Jul 2025 13:57:42 GMT

There are processes and other things tied to the existing AD group names. Not being super familiar with it but what about the screenshot below? Can I have the Check Point LDAP group named properly but it points to my actual AD group name? So I can keep my existing naming convention in AD but it will match for the TTM name?

Re: Different configs for different VPN groups?

VikingsFan — Mon, 07 Jul 2025 17:13:29 GMT

It does appear that creating the ttm_vendor group and pointing it to a different AD group name will work. I'm having issues having the settings stay consistent though... for example, I switched the vendor.ttm file back to split_tunnel = false and in the client logs it keeps saying the gateway is configured to true. Is there a trick for getting the gateway to reread the file or consistently have the changes reflect?

Re: Different configs for different VPN groups?

PhoneBoy — Mon, 07 Jul 2025 17:26:47 GMT

As far as I know, TTM settings won't update on the client until the client disconnects and reconnects to the server.

Re: Different configs for different VPN groups?

VikingsFan — Mon, 07 Jul 2025 17:29:16 GMT

Thanks PhoneBoy. I've done it multiple times with no change on the client side. Reading the 'trac.log' file for changes but also running 'netstat -rn' shows the split tunneling even though I have it set to false (in both TTM files right now). Even tried shutting the client down completely and reconnecting with no change. I'm updating to R81.20 JHF 105 right now for fun and see if that changes anything.

Guessing a ticket might be in order if this is not expected behaviour.

Re: Different configs for different VPN groups?

PhoneBoy — Mon, 07 Jul 2025 17:42:01 GMT

If you make any changes to a TTM file, you must install the Access Policy for it to take effect.
This is documented here: https://support.checkpoint.com/results/sk/sk75221

Re: Different configs for different VPN groups?

VikingsFan — Mon, 07 Jul 2025 18:18:10 GMT

Yep, I've installed policy multiple times with no change. I even check the 'do not use install policy acceleration for all targets.' I'll keep checking.

Re: Different configs for different VPN groups?

PhoneBoy — Mon, 07 Jul 2025 18:32:36 GMT

That may only apply for the "main" TTM file (not the group-specific ones).
One other thing to try: after making the changes, try checking the file with vpn check_ttm.

Otherwise, you're probably in TAC case territory.