- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
The CPU utilization on my vpn gateway gets out of control during company-wide webex meetings. For a lot of design reasons, the vast majority of my workforce needs to connect to my gateway in hub mode. Is there any way to exclude traffic to the webex ip address from going through the vpn tunnel back to my firewalls when my users are in hub mode.
To reiterate, I'd like my users to stay in hub mode, I just need to find a way to make traffic to webex get sent out of my end users' isp as opposed to through the vpn tunnel back to my gateway.
If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:
To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.
Hope that helps!
Luke
Hi
I don't have an answer for you. But I do want to inform you of my question in the same forum. Have a look.
https://community.checkpoint.com/t5/Remote-Access-Solutions/VPN-Mobile-Client-Tunneling-Exceptions/td-p/73650/jump-to/first-unread-message
Basically, I want the exact opposite of what you want (no hub-mode, except for certain traffic). The solution could be perhaps used for both our questions. Perhaps it's a good idea to keep an eye out for each others posts for potential solutions.
Greetz
If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:
To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.
Hope that helps!
Luke
If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:
To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.
Hope that helps!
Luke
Tremendous idea Luke, I'll test it out, sounds like it should absolutely work
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY