https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221489#M3448 <P>By design, when you “add new site” you get information about all VPN gateways managed by the same SMS.<BR />Version/JHF level along with a diagram of what you’re trying to achieve will help tremendously.</P> Sun, 21 Jul 2024 15:39:30 GMT PhoneBoy 2024-07-21T15:39:30Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221481#M3447 <P>Hi Team.</P><P>I have one SMS and two RA GW. The first RA GW configured that send into vpn tunnel only needed subnets other traffic send to local ISP.&nbsp; The second GW configured that send all traffic into vpn tunnel and exclude some subnets to local ISP.&nbsp;</P><P>But now I have problem when user connect to the first GW, they received route that configured on the second GW. But on the 1st GW configure correct VPN Domain and user must receive route&nbsp; to vpn tunnel for some subnets.</P> Sun, 21 Jul 2024 14:23:29 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221481#M3447 Air 2024-07-21T14:23:29Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221489#M3448 <P>By design, when you “add new site” you get information about all VPN gateways managed by the same SMS.<BR />Version/JHF level along with a diagram of what you’re trying to achieve will help tremendously.</P> Sun, 21 Jul 2024 15:39:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221489#M3448 PhoneBoy 2024-07-21T15:39:30Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221492#M3449 <P>Version: R81.10 Take 150.</P><P>I installed two different RA GW, disable MEP.</P><P>And I want when users connect to first RA GW only office subnets route to vpn tunnel and other traffic through local ISP.</P><P>And when user connect to second RA GW all traffic route to vpn.</P><P>Now when user connect to first RA VPN that all traffic route to vpn and ignore VPN Domains for this GW.</P><P>I configured different VPN Domains.</P><P>Subnets that need route on first and second RA GW overlaps, because second RA GW route all traffic to vpn.</P><P>Is it possible using one SMS have two different rule for RA VPN?</P> Sun, 21 Jul 2024 17:53:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221492#M3449 Air 2024-07-21T17:53:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221493#M3450 <P>I think if you read below link ,it will clear certain things up. Specially section that talkes about IMPLICIT mep...</P> <P>Andy</P> <P>&nbsp;</P> <P><A href="https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/164758" target="_blank">https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/164758</A></P> Sun, 21 Jul 2024 17:55:49 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221493#M3450 the_rock 2024-07-21T17:55:49Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221494#M3451 <P>I read this. MEP is disabled.</P> Sun, 21 Jul 2024 18:00:34 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221494#M3451 Air 2024-07-21T18:00:34Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221495#M3452 <P>So please answer this question...how are enc domains configured? Is it overlapping or they have seperate subnets/groups? This info is IMPORTANT.</P> <P>Andy</P> Sun, 21 Jul 2024 18:06:13 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221495#M3452 the_rock 2024-07-21T18:06:13Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221496#M3453 <P>VPN-SINet-Subnets has list of subnets</P><DIV class="">&nbsp;</DIV><P>ED-remoteaccess has All-Internet-group&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 21 Jul 2024 18:16:22 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221496#M3453 Air 2024-07-21T18:16:22Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221497#M3454 <P>In such case, document says to follow ttm file to be manual, ie domains are NOT overlapping, which they are not in your case. I had done this for customers before and we followed exactly what it shows in the link I sent you, no issues.</P> <P>Andy</P> Sun, 21 Jul 2024 18:35:27 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221497#M3454 the_rock 2024-07-21T18:35:27Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221505#M3455 <P>I am not sure that understood.</P><P>Now I have config ttm file:</P><P><SPAN>automatic_mep_topology - false</SPAN></P><P><SPAN>mep_mode - dns_based</SPAN></P><P><SPAN>enable_gw_resolving - true</SPAN></P><P><SPAN>And nothing worked</SPAN></P><P>&nbsp;</P> Mon, 22 Jul 2024 02:42:08 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221505#M3455 Air 2024-07-22T02:42:08Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221506#M3456 <P>I will check in the morning, as I have this working in the lab. Make sure to follow al the steps from that document, it works 100%.</P> <P>Andy</P> Mon, 22 Jul 2024 03:04:31 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221506#M3456 the_rock 2024-07-22T03:04:31Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221556#M3457 <P>There's an SK that covers this specific scenario:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk111995" target="_blank">https://support.checkpoint.com/results/sk/sk111995</A>&nbsp;</P> Mon, 22 Jul 2024 12:55:00 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221556#M3457 PhoneBoy 2024-07-22T12:55:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221558#M3458 <P>Interesting...never recall having to follow this sk before.</P> <P>Andy</P> Mon, 22 Jul 2024 12:58:57 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/221558#M3458 the_rock 2024-07-22T12:58:57Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222487#M3459 <P>Problem was decided when remove MEP in the file trac.defaults . Disable MEP from GW side did not work</P> Thu, 01 Aug 2024 14:52:29 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222487#M3459 Air 2024-08-01T14:52:29Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222488#M3460 <P>Thats what document was indicating as well.</P> Thu, 01 Aug 2024 14:54:21 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222488#M3460 the_rock 2024-08-01T14:54:21Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222490#M3461 <P>In the document indicated on GW side (need edit file on GW), I removed on client side (edit client file).</P> Thu, 01 Aug 2024 14:57:12 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222490#M3461 Air 2024-08-01T14:57:12Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222491#M3462 <P>Never had to do that myself...what are versions of the gw/client?</P> <P>Andy</P> Thu, 01 Aug 2024 14:58:27 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222491#M3462 the_rock 2024-08-01T14:58:27Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222492#M3463 <P>GW - R81.10 Take 150, Client 88.30 and 86.50</P> Thu, 01 Aug 2024 15:00:59 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222492#M3463 Air 2024-08-01T15:00:59Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222493#M3464 <P>Done it with those versions, NEVER have I had to modify anything on the client side.</P> Thu, 01 Aug 2024 15:04:47 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-and-exclude-subnets/m-p/222493#M3464 the_rock 2024-08-01T15:04:47Z