- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hey folks. Wondering if anyone has gotten this working yet, and are using it in a production environment? I've tried following the instructions laid out in this document; https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RemoteAccessVPN_AdminGuide/Content... , but when I attempt to add the domain group to the VPN group, I get
I've got a call open with TAC, thought I'd post it here as well just in case anyone had any ideas while TAC gets around to looking at it. Running R81.20.
What does your group look like? It did not give me any fuss in R81.20 JHF 89.
Strange indeed, here is mine
Fails immediately.
The Remote Access encryption domain is a group with exclusions;
This group looks as follows;
And the main group (non excluded) looks like this;
You can leave the gateway encryption domain as is.
- Make a new group that has all the IP addresses in it for RemoteAccess that you want
- Add the exclusions_ group to that
- Use the granular encryption domain for the RemoteAccess community
This will only effect stuff using that RemoteAccess community.
You could just clone the group you are using already and just remove the objects you are doing the exclude on.
So what's the difference between these two settings? I always thought they did the same thing;
I am using my screenshot below for reference.
- Section 1 - This is the default VPN domain for the gateway. RemoteAccess VPNs and IPsec VPNs will use this by default. It is a shared pool.
- Section 2 - This is where you can create a more specific VPN domain for that IPsec VPN or RemoteAccess VPN. I highlighted objects that say, "According to the gateway", that means those VPNs use the encryption domain from section 1. Everything else is using their own specific group with a much more defined encryption domain.
Based on your new screenshots, you should just be able to add your "exclusions_" group to the group "VPN_Exclusion_Domain".
Full Tunnel I assume refers to Hub Mode.
It's "allowed" in the gateway object here:
You can require your clients to use it here:
As far as I know Updatable, Dynamic, or Domain can ONLY be used in this exclusions_ group and ONLY when Hub Mode is used (as configured above).
The only item in your RemoteAccess Encryption Domain is this exclusions_ group and not other objects (i.e. the stuff you want the client to access directly without being routed through the VPN tunnel).
When you are not using Hub Mode, then you must manually specify what hosts are in your encryption domain using standard Network and Host objects (not Updatable, Dynamic, or Domain objects as you're trying to do).
.png "Wolfgang"){kind=avatar}
Wed 10 Sep 2025 @ 11:00 AM (CEST)
Effortless Web Application & API Security with AI-Powered WAF, an intro to CloudGuard WAFWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & Collaboration