Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
We use full mesh Check Point VPN, each site use a gateway for the Internet access ( local breakout), however there's a request to route a specific internet site through another VPN site which should deliver the traffic from that remote gateway and not the local breakout, anyone has any idea how this request can be achieved in Check Point VPN? Thanks in advance.
I am not sure, But I think you cannot route to specific website through over another VPN.
You have only 2 options. Internet traffic goes over each gateway or All traffic through over central vpn firewall.
Perhaps configuring the file vpn_route.conf can help here? Have seen it used before many times but admittedly not for traffic going to an Internet site...
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
Thanks for your reply and we have tried this way, however when test the traffic we see the traffic sent to remote gateway through the VPN tunnel but after that the traffic was dropped on the remote gateway with this log:
encryption failure : according to the policy the package should not have been decrypted.
If the traffic is not an internet site, then it is ok.
Configure CP in the specific site as a non-transparent proxy mode (you can add an interface to anchor proxy functionality to it) and set up NAT to it in your branch gateway.
Create PAC file for the branch to define NATed proxy IP for the URL in question and exempt the rest of the web traffic using "Direct".
Hmm, seemed like a good idea to me, but then I found an article stating that it can not work: HTTP and HTTPS traffic is dropped and/or latency is experienced when HTTP / HTTPS traffic goes throu... . My customer uses R77.30. Anyway, I will ask them to run a small virtual machine with squid or some other proxy, it should work.
Just looked at the sk you are referencing. Perhaps it is applicable to R80+ as well, but these versions are not listed in the "Applies to" section.
You may want to run it by CP to figure out if it is still the case or if the product was modified to support it.