This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cdooer
Participant
‎2025-03-04 08:22 AM

Split Tunnel Domain group

Hey folks. Wondering if anyone has gotten this working yet, and are using it in a production environment?  I've tried following the instructions laid out in this document;  https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RemoteAccessVPN_AdminGuide/Content... , but when I attempt to add the domain group to the VPN group, I get 

 

error.JPG

I've got a call open with TAC, thought I'd post it here as well just in case anyone had any ideas while TAC gets around to looking at it. Running R81.20. 

0 Kudos
37 Replies
the_rock
Legend
Legend
‎2025-03-11 08:30 AM
In response to cdooer

I think so.

0 Kudos
cdooer
Participant
‎2025-03-11 08:52 AM
In response to the_rock

Wonder if I can find a guide somewhere that would walk me through converting from whatever mode I'm in now, over to Hub Mode? Maybe that's a question for TAC...

 

0 Kudos
the_rock
Legend
Legend
‎2025-03-11 08:55 AM
In response to cdooer

Dont believe there is an official guide per se, but I would check out below.

Andy

https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-06 03:51 PM
In response to cdooer

Dynamic Split Tunneling requires using Hub Mode, which will break your existing Split Tunneling configuration.

0 Kudos
cdooer
Participant
‎2025-03-10 06:26 AM
In response to PhoneBoy

Hmm, ok. A couple of follow up questions...

1 - Is Hub Mode gateway specific, meaning I can test it easily against a single VPN cluster, or does it affect the entire Remote Access Community?

2 - Is it possible to split tunnel domains, AND IP addresses in the same configuration?

0 Kudos
cdooer
Participant
‎2025-03-24 06:13 AM
In response to PhoneBoy

TAC got back to me on Friday, and they say that Hub Mode isn't required for this to work, the problem seems to be the Group With Exclusions, rather than it being just a simple group. I've got another call with them later today, but I'm wondering if I could just add my normal IP exclusions to this new exclusions_ group, along with my domain objects? I tried it in my lab, and it didn't give me any validation errors, but I don't have any way to actually test the VPN connectivity in my lab in order to see what it shows in the clients routing table. 

0 Kudos
Jan_Kleinhans
Advisor
Tuesday
In response to cdooer

Hi,

did you found a way to migrate from "old" split tunneling to dynamic split tunneling?

At the moment our VPN Domain is a group with exclusions (any - special internet adresses like o365 which I generate via a script)

Now I want to go the new way. Do I have to create a Simple group with all "local networks + Internet" and add the exclusions_xxx group to this?  And do I also have to edit trac_conf.ttm?

Regards,

Jan

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to Jan_Kleinhans

That sounds correct, yes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events