This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gusa2727
Contributor
‎2020-07-08 02:43 AM

Remote Access VPN - Split Tunneling with exclusions.

Hi, I currently have a full tunnel configuration for remote access users in my security blades, but I need to know if it is possible to make a split tunneling configuration where all the users' traffic go to Internet through the firewall except some specific public IPs.

I have been thinking about create an object group with exclusions, where I include the default network 0.0.0.0/0 and exclude the requested public IPs. The thing is that I am not sure if it would work when I select this group with exclusions in the Remote Access Encryption Domain, because I believe that users will still receive the default network and will ignore the excluded public IPs and send all the traffic to the firewall.

Do you know if is there a way to achieve what I am trying to do? Thanks!

0 Kudos
9 Replies
Maarten_Sjouw
Champion
Champion
‎2020-07-08 05:44 AM

There is only one way to find out: test it.
Regards, Maarten
0 Kudos
Gusa2727
Contributor
‎2020-07-10 12:00 AM
In response to Maarten_Sjouw

I have tried it and it has worked fine. Thanks 🙂

PhoneBoy
Admin
Admin
‎2020-07-12 06:53 PM

We have an example of this sort of config here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
It's geared towards Office 365, but can apply to anything.
0 Kudos
scottikon
Contributor
‎2020-07-17 02:53 AM
In response to PhoneBoy

It's such a shame this can't be done with FQDNs. We support customers with Pulse Secure and we are seeing customers more and more who want to allow Teams and other SaaS applications to break out locally but tunnel internet traffic through central datacentre for URL filtering. We all know the overhead of maintaining the network groups using IPs for these services rather than updateable objects or FQDN. 

 

Scott

Nüüül
Advisor
Advisor
‎2020-07-17 06:49 AM
In response to scottikon

Hi Scott,

that´s more or less what the SK is covering... but for whole Office365. If you want just Teams, you might use the script mentioned there and edit it to just import the Teams IPs.  (API output is sorted for that: https://endpoints.office.com/endpoints/worldwide - you might want to look for "serviceArea": "Skype")

FQDNs are also changing at M$ for the several services.. afaik it is not just "teams.microsoft.com" there are loads of redirects and so on... some are also changing from time to time. depending on load or other.. Although you can take the script and edit it for your needs... ie. you set somewhere a plain text file with all directly connectable networks and let the script parse that...

 

For updatable objects I am with you, would be good. The SK is doing something similar. Very basic but as far as i understood updatable objects are maintained at a similar way.. (at least i found somewhere text files with (more beautiful and better) parsed MS api outputs 🙂 )

Daniel

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-17 01:45 PM
In response to scottikon

If you ask me, a much better solution is to do the URL Filtering on the endpoint, which we are offering now with Cloud-Managed SandBlast Agent and are expected to have with on-prem management in R81.

0 Kudos
Nüüül
Advisor
Advisor
‎2020-07-17 02:44 PM
In response to PhoneBoy

How would that help to just "untunnel" a couple of services with dynamic destination ips and urls, while everything else is still tunneled?

Or do you mean to change completeley to just tunnel internal networks and everything else is than filtered by SandBlast on the client? 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-17 05:45 PM
In response to Nüüül

Yes, tunnel only internal things across the VPN and do the filtering on the client for everything else.

0 Kudos
JC_S
Employee
Employee
‎2025-06-03 12:03 PM
In response to scottikon

As of R81.20 this is now supported with updateable objects: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events