- Products
- Learn
- Local User Groups
- Partners
-
More
This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
- Products
- Learn
- Local User Groups
- Upcoming Events
- Americas
- EMEA
- Czech Republic and Slovakia
- Denmark
- Netherlands
- Germany
- Sweden
- United Kingdom and Ireland
- France
- Spain
- Norway
- Ukraine
- Baltics and Finland
- Greece
- Portugal
- Austria
- Kazakhstan and CIS
- Switzerland
- Romania
- Turkey
- Belarus
- Belgium & Luxembourg
- Russia
- Poland
- Georgia
- DACH - Germany, Austria and Switzerland
- Iberia
- Africa
- Adriatics Region
- Cloud Mates
- Eastern Africa
- Israel
- APAC
- Partners
- More
- ABOUT CHECKMATES & FAQ
- Sign In
- Leaderboard
- Events
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- CheckMates
- :
- Products
- :
- Mobile & Endpoint
- :
- Remote Access VPN
- :
- Re: Excluding specific destination from hub mode
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Kevin_Werner
Contributor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-01-30
01:20 PM
Excluding specific destination from hub mode
The CPU utilization on my vpn gateway gets out of control during company-wide webex meetings. For a lot of design reasons, the vast majority of my workforce needs to connect to my gateway in hub mode. Is there any way to exclude traffic to the webex ip address from going through the vpn tunnel back to my firewalls when my users are in hub mode.
To reiterate, I'd like my users to stay in hub mode, I just need to find a way to make traffic to webex get sent out of my end users' isp as opposed to through the vpn tunnel back to my gateway.
Reply
1 Solution
Accepted Solutions
LukeOxley
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-03-31
02:05 PM
If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:
- Ensure "Route all traffic to gateway" is set to NO in Global Properties > Remote Access > SecureClient Mobile & Endpoint Connect.
- Ensure Hub Mode is set to ALLOW on the gateway object under VPN Clients > Remote Access.
- Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
- Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
- Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
- Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
- Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
- Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.
To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.
Hope that helps!
Luke
5 Replies
--THX1138--
Explorer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-01-31
04:26 AM
Hi
I don't have an answer for you. But I do want to inform you of my question in the same forum. Have a look.
https://community.checkpoint.com/t5/Remote-Access-Solutions/VPN-Mobile-Client-Tunneling-Exceptions/td-p/73650/jump-to/first-unread-message
Basically, I want the exact opposite of what you want (no hub-mode, except for certain traffic). The solution could be perhaps used for both our questions. Perhaps it's a good idea to keep an eye out for each others posts for potential solutions.
Greetz
LukeOxley
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-03-31
09:49 AM
If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:
- Disable hub mode.
- Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
- Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
- Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
- Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
- Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
- Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.
To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.
Hope that helps!
Luke
Reply
LukeOxley
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-03-31
02:05 PM
If you'd like configure the Remote Access routing to essentially route all traffic to the gateway, EXCEPT a certain list of hosts/subnets, then you need to do the following:
- Ensure "Route all traffic to gateway" is set to NO in Global Properties > Remote Access > SecureClient Mobile & Endpoint Connect.
- Ensure Hub Mode is set to ALLOW on the gateway object under VPN Clients > Remote Access.
- Create a new network group named 'All_Internet_Group', and add the default 'All_Internet' object to it.
- Create a new network group named 'ED-RemoteAccess_Exclusions'. Add all of the hosts/networks you'd like to be excluded from hub mode (I.E, routed locally on the client's end rather than across the VPN to the gateway).
- Create a new "group with exclusions" called 'ED-RemoteAccess', reference the 'All_Internet_Group' we created as the main group and the 'ED-RemoteAccess_Exclusions' we created as the exclusion group.
- Set the 'ED-RemoteAccess' group as the Remote Access encryption domain on the gateway topology.
- Ensure security rules and NAT rules are setup to support this configuration (I.E, security rules allow the OfficeMode subnet access to the Internet, and the OfficeMode subnet is NAT'd behind the gateway).
- Install policy, then disconnect/reconnect any existing connected clients so that they get the new routing table.
To put this into a scenario, lets say you want all traffic to be routed to the gateway (like it is in hub mode), apart from 167.20.10.0/24 (some random network I thought of, insert yours here) - you want the clients to route this out of their local connection rather than via the security gateway. Following the scenario above and adding the 167.20.10.0/24 network to the 'ED-RemoteAccess_Exclusions' group will achieve this.
Hope that helps!
Luke
Kevin_Werner
Contributor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-04-01
06:33 AM
Tremendous idea Luke, I'll test it out, sounds like it should absolutely work
Reply
LukeOxley
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2020-04-01
06:58 AM
Yep - we've had it working across a couple of setups quite well. Let me know how you get along. Available on DM if you hit any issues.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY
©1994-2020 Check Point Software Technologies Ltd. All rights reserved.
Copyright
Privacy Policy
Facts at a Glance
User Center