This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jessica_smith
Contributor
‎2018-05-11 07:06 AM
Jump to solution

Exclude Subnet


I don't want to configure split tunnel on the security gateway, I was wondering how I can exclude my subnet from full tunnel setup, is there any options?

1 Solution

Accepted Solutions
LukeOxley
Participant
‎2020-03-31 09:44 AM
Jump to solution

As @PhoneBoy says, you can use 'exclude_local_networks_in_hub_mode' attribute in the trac_client_1.ttm to exclude a user's local network when they're connected to Remote Access VPN and using hub mode...

OR

You can go for a more manual and customisable approach where you manually exclude any host/network required, rather than just being limited to the excluding a user's local network.

If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:

  1. Ensure "Route all traffic to gateway" is set to NO in Global Properties > Remote Access > SecureClient Mobile & Endpoint Connect. 
  2. Ensure Hub Mode is set to ALLOW on the gateway object under VPN Clients > Remote Access.
  3. Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
  4. Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
  5. Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
  6. Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
  7. Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
  8. Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.

To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.

Hope that helps!

Luke

View solution in original post

12 Replies
PhoneBoy
Admin
Admin
‎2018-05-11 08:33 AM
Jump to solution

Let's put this in the Remote Access‌ section where it belongs.

Looks like you can achieve what you're after by following this SK: Cannot exclude local network when connected to Remote Access VPN via Hub Mode 

jessica_smith
Contributor
‎2018-05-23 12:35 AM
Jump to solution

Thanks Dameon, I followed your SK but it didnt help.

When ever I try to access a local resource (local VM on my PC), the traffic is still being sent through to SG.

I am trying to find a solution where i can have split tunnel enabled for my VPN (exclude local subnet going through SG which is enabled for hub mode) 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-23 01:12 AM
In response to jessica_smith
Jump to solution

Perhaps there is an error in the SK or there is a different issue.

Have you opened a TAC case?

Contact Support | Check Point Software 

0 Kudos
jessica_smith
Contributor
‎2018-05-23 01:35 AM
In response to PhoneBoy
Jump to solution

I have not as I dont have support contract with CP.

I there any solution where i can have split tunnel enabled for certain users on Checkpoint and other users will have to go through SG which is configured for Hub Mode?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-23 01:52 AM
In response to jessica_smith
Jump to solution

As far as I know this is a global setting.

That means either all users can do it or none can.

Did you modify trac_client_1.ttm as described in the SK?

Your partner (or whoever you have a support contract they) should be able to open a ticket with us as needed.

0 Kudos
jessica_smith
Contributor
‎2018-05-23 02:24 AM
In response to PhoneBoy
Jump to solution

Thanks Dameon

Is there any other option other than sk121766, to exclude local subnet from going through security gateways which is configured for HUB mode.

 I want to have split tunnel enabled for only specific users and other users I they will have to go through SG which is configured for Hub Mode?

Is it possible to configure split tunnel for some and full tunnel for other users ?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-23 07:30 AM
In response to jessica_smith
Jump to solution

As far as I know the settings apply to all users connecting to a given gateway but will double-check.

0 Kudos
jessica_smith
Contributor
‎2018-05-23 01:01 PM
In response to PhoneBoy
Jump to solution

thanks

PhoneBoy
Admin
Admin
‎2018-05-24 08:35 AM
In response to jessica_smith
Jump to solution

Looks like you can configure the TTM file per group.

In fact, the exact scenario you want is described in the following SK: Remote Access clients configuration based on group membership 

jessica_smith
Contributor
‎2018-05-24 01:14 PM
In response to PhoneBoy
Jump to solution

Thanks Smiley Happy

0 Kudos
rajesh_s
Contributor
‎2018-10-30 03:34 AM
In response to jessica_smith
Jump to solution

Hi Jessica,

Did you got the solution  for remote access vpn tunnel requirement?.

0 Kudos
LukeOxley
Participant
‎2020-03-31 09:44 AM
Jump to solution

As @PhoneBoy says, you can use 'exclude_local_networks_in_hub_mode' attribute in the trac_client_1.ttm to exclude a user's local network when they're connected to Remote Access VPN and using hub mode...

OR

You can go for a more manual and customisable approach where you manually exclude any host/network required, rather than just being limited to the excluding a user's local network.

If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:

  1. Ensure "Route all traffic to gateway" is set to NO in Global Properties > Remote Access > SecureClient Mobile & Endpoint Connect. 
  2. Ensure Hub Mode is set to ALLOW on the gateway object under VPN Clients > Remote Access.
  3. Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
  4. Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
  5. Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
  6. Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
  7. Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
  8. Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.

To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.

Hope that helps!

Luke

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events