https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146096#M6968 <P>Split tunneling is a global setting, unfortunately, so it applies to everyone.</P> Tue, 12 Apr 2022 13:53:27 GMT PhoneBoy 2022-04-12T13:53:27Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146082#M6966 <P>Hello,</P><P>We have a request from our customer to implement split tunnel solution for certain user/users. Currently they have full tunnel remote access VPN.</P><P>I've found sk167000 (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk167000" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk167000</A>) tested it also in lab environment and it works great. But it's only applicable for a VPN community.</P><P>Is it possible to implement split tunneling somehow for a user group?</P><P>Thanks in advance!</P><P>Zsolt</P> Tue, 12 Apr 2022 12:47:17 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146082#M6966 zsszlama 2022-04-12T12:47:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146085#M6967 <P>I believe below is what you are looking for:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/16024iACE0897E2BE26378/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P>&nbsp;</P> <P> Andy</P> Tue, 12 Apr 2022 12:58:21 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146085#M6967 the_rock 2022-04-12T12:58:21Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146096#M6968 <P>Split tunneling is a global setting, unfortunately, so it applies to everyone.</P> Tue, 12 Apr 2022 13:53:27 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146096#M6968 PhoneBoy 2022-04-12T13:53:27Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146162#M6969 <P>I believe this option just defines which with authentication method can user authenticate on the VPN client.</P> Wed, 13 Apr 2022 07:09:44 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146162#M6969 zsszlama 2022-04-13T07:09:44Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146163#M6970 <P>That's what I thought. Thanks, PhoneBoy!</P> Wed, 13 Apr 2022 07:10:49 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146163#M6970 zsszlama 2022-04-13T07:10:49Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146182#M6971 <P>route all traffic to gateway (yes/no/decide on endpoint)</P><P>make the default in the trac.default file to route all traffic to gateway, but tell specific users to manually untick the checkbox in their client?</P> Wed, 13 Apr 2022 09:58:36 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146182#M6971 JanVC 2022-04-13T09:58:36Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146195#M6972 <P>Sounds good. May I ask for an SK or example from where I can learn and test it?</P> Wed, 13 Apr 2022 12:22:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146195#M6972 zsszlama 2022-04-13T12:22:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146253#M6973 <P>in the global properties you set the "route all traffic to gateway" to "configured on endpoint client" for oth the secureclient mobile and endpoint connect options</P><P>on the gateway object you tick the box for "allow vpn clients to route traffic through this gateway" and you configure the remote access encryption domain for the split vpn users</P><P>if the end user connects once to the gateway, the setting to route all traffic to gateway will no longer be greyed out and the user can freely choose between full tunnel or split tunnel</P><P>you could create a new vpn package one for full tunnel users and one for split tunnel users and install accordingly, that way you don't have to teach them about the setting</P><P>download the tool from <SPAN>sk122574</SPAN></P><P>i believe you need the setting "neo_route_all_traffic_through_gateway"</P><P>&nbsp;</P> Thu, 14 Apr 2022 06:32:35 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146253#M6973 JanVC 2022-04-14T06:32:35Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146280#M6974 <P>Thanks Jan!</P><P>&nbsp;</P><P>Meanwhile I've found sk114882. Based on that and your help it works for me in lab environment.</P><P>In addition to your settings I've modified the ttm files:<BR /><BR /></P><P>In the test group file:</P><P><EM>:neo_route_all_traffic_through_gateway (</EM></P><P><EM>:gateway (endpoint_vpn_route_all_traffic_through_gateway</EM></P><P><EM>:default (client_decide)</EM></P><P><EM>)</EM></P><P>&nbsp;</P><P>In the trac_client_1 file:</P><P><EM>:neo_route_all_traffic_through_gateway (</EM></P><P><EM>:gateway (endpoint_vpn_route_all_traffic_through_gateway</EM></P><P><EM>:valid (false)</EM></P><P><EM>:default (true)</EM></P><P><EM>)</EM></P> Thu, 14 Apr 2022 13:48:50 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Split-tunnel-for-User-Usergroup/m-p/146280#M6974 zsszlama 2022-04-14T13:48:50Z