https://community.checkpoint.com/t5/SASE-and-Remote-Access/Understand-Mobile-access-routing-split-tunelling-and-native/m-p/122811#M8352 <P>If this is about Mobile Access Portal only, then Google is not an internal Web Application, so the comparison is wrong. Did you consult the&nbsp;<SPAN style="font-family: inherit; background-color: #ffffff;">Mobile Access R81 Administration Guide already ? If you use other CP RA VPN possibilities beside MAB (Capsule, Mobile, Endpoint Security VPN...) you can route all traffic through the main site to participate from GW TP / TE / TX like when situated in the internal company network.</SPAN></P> Fri, 02 Jul 2021 11:40:56 GMT G_W_Albrecht 2021-07-02T11:40:56Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Understand-Mobile-access-routing-split-tunelling-and-native/m-p/122810#M8351 <P>Hi all,</P><P>&nbsp;</P><P>I'm struggling to understand how checkpoint Mobile Access handles routing and split-tunnel on remote clients.</P><P>I have Mobile Access with office mode. Doing some test I get this following logic. I will use an example tu explain the concept.</P><P>&nbsp;</P><P>Let's assume this scenario:</P><P>I have 2 Remote users Mario and Luigi.</P><P>We have 2 native applications: Server A and Server B.</P><P>Mario has a rule that allows to reach Server A.</P><P>Luigi has a rule that allows to reach Server B.</P><P>If we give a look at Mario's (or Luigi is the same) routing table once connected to VPN, he has both routes to Server A and B pointing to VPN tunnel even if his not authorized to go to Server B.</P><P>&nbsp;</P><P>So default behavior is that everything is declared as Native Application will be pushed as a route to Remote Clients. It's correct?</P><P>I could accept this logic but I'm facing a funny issue. On a customer I found a similar scenario as described before, but just assume that this time Server B is a public server...let's say google.com.</P><P>The result is that Mario can go to Server A, but not to google.com even if could use it's own internet connection (split-tunnel).</P><P>Luigi instead can go to google.com but using the VPN tunnel through corporate network.</P><P>&nbsp;</P><P>It's all correct or I'm missing some workaround or configuration to allow Mario to route traffic to goolge.com with out sending it to the VPN tunnel?</P><P>&nbsp;</P><P>Thank you,</P><P>Gianluigi</P> Fri, 02 Jul 2021 11:13:04 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Understand-Mobile-access-routing-split-tunelling-and-native/m-p/122810#M8351 gcarella 2021-07-02T11:13:04Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Understand-Mobile-access-routing-split-tunelling-and-native/m-p/122811#M8352 <P>If this is about Mobile Access Portal only, then Google is not an internal Web Application, so the comparison is wrong. Did you consult the&nbsp;<SPAN style="font-family: inherit; background-color: #ffffff;">Mobile Access R81 Administration Guide already ? If you use other CP RA VPN possibilities beside MAB (Capsule, Mobile, Endpoint Security VPN...) you can route all traffic through the main site to participate from GW TP / TE / TX like when situated in the internal company network.</SPAN></P> Fri, 02 Jul 2021 11:40:56 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Understand-Mobile-access-routing-split-tunelling-and-native/m-p/122811#M8352 G_W_Albrecht 2021-07-02T11:40:56Z