Solved: Always-On VPN with full traffic tunneling and spli...

gg_fga

Hi everyone,

I'm looking to implement an Always-On VPN setup using a Check Point Remote Access VPN client. The goal is to ensure that:

The VPN connection is mandatory: if the client is not connected to the VPN, it should not have access to the internet at all (no split tunneling).
All traffic (internal and internet) is routed through the corporate firewall when the VPN is active.
Exceptions are made only for traffic related to authentication to the VPN gateway (e.g., DNS resolution, SAML login, etc.).
When the device is on-site (corporate network), the VPN should detect it and not initiate the tunnel.

Is this kind of setup achievable?

Thanks in advance for your insights!

PhoneBoy

This requires a few things:

Hub Mode be configured (this routes all traffic through the VPN)
- You can exclude locally connected networks from this (to allow your users to, for instance, print to their local printer): https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...
- You can also exclude specific applications like Zoom from going through the VPN: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...
- You can also require this only on certain firewalls: https://support.checkpoint.com/results/sk/sk111995
Endpoint Firewall (necessary to block access when disconnected from VPN). Note that this feature requires either Harmony Endpoint or CPEP-ACCESS licenses.
Location Awareness (disables VPN when certain conditions are met)

Harmony SASE also supports this configuration.

PhoneBoy

This requires a few things:

Hub Mode be configured (this routes all traffic through the VPN)
- You can exclude locally connected networks from this (to allow your users to, for instance, print to their local printer): https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...
- You can also exclude specific applications like Zoom from going through the VPN: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...
- You can also require this only on certain firewalls: https://support.checkpoint.com/results/sk/sk111995
Endpoint Firewall (necessary to block access when disconnected from VPN). Note that this feature requires either Harmony Endpoint or CPEP-ACCESS licenses.
Location Awareness (disables VPN when certain conditions are met)

Harmony SASE also supports this configuration.

Are you a member of CheckMates?