topic Re: Split Tunnel Domain group in SASE and Remote Access

Split Tunnel Domain group

cdooer — Tue, 04 Mar 2025 16:22:34 GMT

Hey folks. Wondering if anyone has gotten this working yet, and are using it in a production environment? I've tried following the instructions laid out in this document; https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Dynamic-Split-Tunneling-for-SaaS.htm , but when I attempt to add the domain group to the VPN group, I get

I've got a call open with TAC, thought I'd post it here as well just in case anyone had any ideas while TAC gets around to looking at it. Running R81.20.

Re: Split Tunnel Domain group

the_rock — Tue, 04 Mar 2025 16:49:44 GMT

Can you send a screenshot of what it looks like at the moment?

Andy

Re: Split Tunnel Domain group

the_rock — Tue, 04 Mar 2025 16:50:37 GMT

I can easily test it in R81.20 and R82 to see if any difference.

Andy

Re: Split Tunnel Domain group

CaseyB — Tue, 04 Mar 2025 16:59:03 GMT

What does your group look like? It did not give me any fuss in R81.20 JHF 89.

Re: Split Tunnel Domain group

the_rock — Tue, 04 Mar 2025 17:01:33 GMT

Yep, I tested the same, worked fine.

Andy

Re: Split Tunnel Domain group

cdooer — Tue, 04 Mar 2025 17:24:59 GMT

Strange indeed, here is mine

Re: Split Tunnel Domain group

the_rock — Tue, 04 Mar 2025 17:27:33 GMT

Just accept it and see if policy works.

Andy

Re: Split Tunnel Domain group

cdooer — Tue, 04 Mar 2025 20:26:53 GMT

Fails immediately.

Re: Split Tunnel Domain group

CaseyB — Tue, 04 Mar 2025 21:25:31 GMT

The names of groups don't line up between your screenshot and the validation error, so I feel like I'm missing something.

Are you nesting the earlier "VPN" group under the "Encryption.Domain" referenced in the validation error?

Re: Split Tunnel Domain group

the_rock — Tue, 04 Mar 2025 21:39:01 GMT

Make sure group you are adding has name exclusions_

Andy

Re: Split Tunnel Domain group

PhoneBoy — Wed, 05 Mar 2025 00:03:18 GMT

What EXACTLY are you configuring as your RemoteAccess encryption domain?
This should be a group object that includes the exclusions_ group you've created.

Re: Split Tunnel Domain group

cdooer — Wed, 05 Mar 2025 00:24:44 GMT

The Remote Access encryption domain is a group with exclusions;

This group looks as follows;

And the main group (non excluded) looks like this;

Re: Split Tunnel Domain group

the_rock — Wed, 05 Mar 2025 00:35:26 GMT

Just do how @CaseyB did it. I did it same way and it worked.

Andy

Re: Split Tunnel Domain group

cdooer — Wed, 05 Mar 2025 00:36:50 GMT

See screenshots below.

Re: Split Tunnel Domain group

cdooer — Wed, 05 Mar 2025 12:51:17 GMT

The problem is that's how we do traditional IP based split tunneling, which I don't want to break.

Re: Split Tunnel Domain group

CaseyB — Wed, 05 Mar 2025 13:59:56 GMT

You can leave the gateway encryption domain as is.

Make a new group that has all the IP addresses in it for RemoteAccess that you want
Add the exclusions_ group to that
Use the granular encryption domain for the RemoteAccess community

This will only effect stuff using that RemoteAccess community.

You could just clone the group you are using already and just remove the objects you are doing the exclude on.

Re: Split Tunnel Domain group

cdooer — Wed, 05 Mar 2025 20:06:14 GMT

So what's the difference between these two settings? I always thought they did the same thing;

Re: Split Tunnel Domain group

CaseyB — Wed, 05 Mar 2025 21:31:31 GMT

I am using my screenshot below for reference.

Section 1 - This is the default VPN domain for the gateway. RemoteAccess VPNs and IPsec VPNs will use this by default. It is a shared pool.
Section 2 - This is where you can create a more specific VPN domain for that IPsec VPN or RemoteAccess VPN. I highlighted objects that say, "According to the gateway", that means those VPNs use the encryption domain from section 1. Everything else is using their own specific group with a much more defined encryption domain.

Based on your new screenshots, you should just be able to add your "exclusions_" group to the group "VPN_Exclusion_Domain".

Re: Split Tunnel Domain group

the_rock — Thu, 06 Mar 2025 02:21:55 GMT

Thats exactly how I tested it as well.

Andy

Re: Split Tunnel Domain group

PhoneBoy — Thu, 06 Mar 2025 23:51:38 GMT

Dynamic Split Tunneling requires using Hub Mode, which will break your existing Split Tunneling configuration.