Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Add additional IP routes to Check Point Endpoint Security VPN client?

Dear Checkmates. This is my first post and I am new to Checkpoint products so please accept my apologies if information is missing or incomplete. I would welcome advice on what details to provide in future. My organisation's public Internet perimeter is protected by a pair of CPAP-SG5900-NGTX appliances running Gaia R80.20 in a cluster XL configuration. These appliances have the Mobile Access blade licensed (amongst other blades). We have remote clients connecting to the 5900 appliances via the Checkpoint Endpoint Security VPN software (E80.87 Build 986009514). I have had a request to route a particular public IP address over the VPN tunnel instead of natively routing via the Public Internet. I can see that many extra IP routes are added to the client's routing table when the VPN software is connected. When the VPN is disconnected, these additional IP routes are no longer present. The new destination IP address does not appear in the list of additional routes. I assume that these additional routes are downloaded from the appliance? My question is how and where are these additional routes configured? The R80.20 administration guide suggest using the Check Point Database Tool (GuiDBedit) via sk13009 but I am unable to load this application when I point it at either of the appliances or the mgmt. appliance. I receive a pop up telling me that the 'Connection cannot be initiated'. A Google search of this suggests that there may be a firewall rule blocking access. I have no explored this further in case there is another solution. Again, apologies if my explanation is missing any important information. Please let me know what information will assist further. Many thanks, Andy
0 Kudos
5 Replies
Highlighted
Admin
Admin

Those routes on the client are for everything inside the Encryption Domain.
The way you influence that is add/remove things from the Encryption Domain.
0 Kudos
Highlighted

Hello PhoneBoy.

Many thanks for responding!  So this is where the SecureClient downloads the topology from the gateway?  Sorry, I'm finding my way around Checkpoint (my experience is with Cisco ASAs).  Where do I add / remove items in this encryption domain for the client VPN?

Thanks,

Andy

0 Kudos
Highlighted
Admin
Admin

Edit the gateway object.
You will have to create a group that contains all your internal networks plus the remote server in question.

Screen Shot 2019-08-25 at 6.48.09 PM.png

Highlighted

Thank you ever so much PhoneBoy. That's exactly what I was looking for. I've located the group and amended it accordingly.

Thanks again,

Andy
0 Kudos
Highlighted

Looking for that too, thank you!

0 Kudos