cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Route a specific internet site through remote gateway

We use full mesh Check Point VPN, each site use a gateway for the Internet access ( local breakout), however there's a request to route a specific internet site through another VPN site which should deliver the traffic from that remote gateway and not the local breakout, anyone has any idea how this request can be achieved in Check Point VPN? Thanks in advance.

8 Replies

Re: Route a specific internet site through remote gateway

Hi,

I am not sure, But I think you cannot route to specific website through over another VPN.

You have only 2 options. Internet traffic goes over each gateway or All traffic through over central vpn firewall.

0 Kudos

Re: Route a specific internet site through remote gateway

The scenario is not exactly clear. Could you put a short diagram together on what you are trying to do, please?

0 Kudos

Re: Route a specific internet site through remote gateway

the only thing comes to my mind is VTI and route based VPN, depending on your mesh community size.

0 Kudos

Re: Route a specific internet site through remote gateway

Perhaps configuring the file vpn_route.conf can help here?  Have seen it used before many times but admittedly not for traffic going to an Internet site...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Route a specific internet site through remote gateway

Hi Timothy,

Thanks for your reply and we have tried this way, however when test the traffic we see the traffic sent to remote gateway through the VPN tunnel but after that the traffic was dropped on the remote gateway with this log:

encryption failure : according to the policy the package should not have been decrypted.

If the traffic is not an internet site, then it is ok.

0 Kudos
Vladimir
Pearl

Re: Route a specific internet site through remote gateway

Configure  CP in the specific site as a non-transparent proxy mode (you can add an interface to anchor proxy functionality to it) and set up NAT to it in your branch gateway.

Create PAC file for the branch to define NATed proxy IP for the URL in question and exempt the rest of the web traffic using "Direct".

Re: Route a specific internet site through remote gateway

Hmm, seemed like a good idea to me, but then I found an article stating that it can not work: HTTP and HTTPS traffic is dropped and/or latency is experienced when HTTP / HTTPS traffic goes throu... . My customer uses R77.30. Anyway, I will ask them to run a small virtual machine with squid or some other proxy, it should work.

Thanks!

0 Kudos
Highlighted
Vladimir
Pearl

Re: Route a specific internet site through remote gateway

Just looked at the sk you are referencing. Perhaps it is applicable to R80+ as well, but these versions are not listed in the "Applies to" section.

You may want to run it by CP to figure out if it is still the case or if the product was modified to support it.