This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2026-01-09 12:09 AM

Check Point VPN route with low metric overriding more specific route from another tunnel

Hi Mates!!

I'm experiencing a routing issue when both the Check Point VPN client and another third-party VPN tunnel are active at the same time.

The Check Point VPN pushes a broad route (e.g., a /15 network) with metric 1, while the other tunnel adds a more specific route for a single IP with a higher metric.

As a result, traffic to that specific IP follows the Check Point route instead of the more specific one and gets lost.

Is there a way to configure the Check Point client (or gateway) so that the routes it pushes have a higher metric, preventing them from overriding more specific routes added by other adapters/tunnels?

0 Kudos
12 Replies
Gaurav_Pandya
MVP
MVP
‎2026-01-09 04:14 AM

I recommend focusing on pushing only the required routes from Check Point rather than relying on routing preferences. You can achieve this by adding the specific network (for example, a /24 subnet) to the Remote Access VPN encryption domain group. This ensures that only the intended routes are pushed, which should resolve the issue.

PhoneBoy
Admin
Admin
‎2026-01-09 11:40 AM

Does not appear you can choose a metric for the route injected by the VPN client.
This would be an RFE

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-09 11:44 AM

Good question bro. I would assume unless there is option to change it somewhere from the web UI, not sure it can be done otherwise. You can ask TAC, but sounds like what Phoneboy said about it being an RFE would make sense.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-09 07:17 PM

Hey bro,

Just curious...is this split or full tunnel?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2026-01-10 02:08 AM
In response to the_rock

Hey bro

Split Tunnel

the_rock
MVP Diamond
MVP Diamond
‎2026-01-10 04:29 AM
In response to RemoteUser

Does it make any difference with the full tunnel or have not tried that yet?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2026-01-12 03:07 AM
In response to the_rock

not yet buddy

the_rock
MVP Diamond
MVP Diamond
‎2026-01-12 04:25 AM
In response to RemoteUser

If possible, I would definitely test it.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2026-01-10 02:14 AM
In response to the_rock

Just checked and with the  "route -n" you can see the metric, but not on the vpngw this is annoying. 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2026-01-12 07:07 AM

The metric is only used to decide between two routes for the same block. A more specific route should always be picked over a less specific route, and changing the metric won't affect this.

It sounds like something else is going on here.

0 Kudos
PhoneBoy
Admin
Admin
‎2026-01-12 08:06 AM
In response to Bob_Zimmerman

It may be like it is on the gateway side where VPN routing happens at the kernel (driver) level.
Which means it doesn't matter what the metric on the client is. 

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-01-12 08:02 PM

If this is endpoint VPN then probably we and the other VPN provider will tell you that having two VPN clients on the same machine isn't supported and is a potential security risk. 

Otherwise yea it'll be an RFE to get that metric to be configurable. It may be cosmetic though, in that our VPN driver in the kernel picks up the connection before it even reaches the OS routing table. I don't know enough about how it works that deeply in there, but that would explain why the more specific route doesn't take precedent.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events