Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Remote Access VPN - Split Tunneling with exclusions.

Hi, I currently have a full tunnel configuration for remote access users in my security blades, but I need to know if it is possible to make a split tunneling configuration where all the users' traffic go to Internet through the firewall except some specific public IPs.

I have been thinking about create an object group with exclusions, where I include the default network 0.0.0.0/0 and exclude the requested public IPs. The thing is that I am not sure if it would work when I select this group with exclusions in the Remote Access Encryption Domain, because I believe that users will still receive the default network and will ignore the excluded public IPs and send all the traffic to the firewall.

Do you know if is there a way to achieve what I am trying to do? Thanks!

0 Kudos
8 Replies
Highlighted
Champion
Champion

There is only one way to find out: test it.
Regards, Maarten
0 Kudos
Highlighted
Contributor

I have tried it and it has worked fine. Thanks 🙂

Highlighted
Admin
Admin

We have an example of this sort of config here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
It's geared towards Office 365, but can apply to anything.
0 Kudos
Highlighted
Contributor

It's such a shame this can't be done with FQDNs. We support customers with Pulse Secure and we are seeing customers more and more who want to allow Teams and other SaaS applications to break out locally but tunnel internet traffic through central datacentre for URL filtering. We all know the overhead of maintaining the network groups using IPs for these services rather than updateable objects or FQDN. 

 

Scott

0 Kudos
Highlighted
Advisor

Hi Scott,

that´s more or less what the SK is covering... but for whole Office365. If you want just Teams, you might use the script mentioned there and edit it to just import the Teams IPs.  (API output is sorted for that: https://endpoints.office.com/endpoints/worldwide - you might want to look for "serviceArea": "Skype")

FQDNs are also changing at M$ for the several services.. afaik it is not just "teams.microsoft.com" there are loads of redirects and so on... some are also changing from time to time. depending on load or other.. Although you can take the script and edit it for your needs... ie. you set somewhere a plain text file with all directly connectable networks and let the script parse that...

 

For updatable objects I am with you, would be good. The SK is doing something similar. Very basic but as far as i understood updatable objects are maintained at a similar way.. (at least i found somewhere text files with (more beautiful and better) parsed MS api outputs 🙂 )

Daniel

0 Kudos
Highlighted
Admin
Admin

If you ask me, a much better solution is to do the URL Filtering on the endpoint, which we are offering now with Cloud-Managed SandBlast Agent and are expected to have with on-prem management in R81.

0 Kudos
Highlighted
Advisor

How would that help to just "untunnel" a couple of services with dynamic destination ips and urls, while everything else is still tunneled?

Or do you mean to change completeley to just tunnel internal networks and everything else is than filtered by SandBlast on the client? 

0 Kudos
Highlighted
Admin
Admin

Yes, tunnel only internal things across the VPN and do the filtering on the client for everything else.

0 Kudos