That is fantastic news!  Something we have wanted for years!

Will it also support domain objects? Or will it be limited to Checkpoints updatable?

@PhoneBoy is this feature indeed implemented in 81.20? 

We are looking to exclude MS Teams subnets out of our VPN encryption domain for remotes users (using Group with Exclusions), and to have it dynamically updatable of course.

There is a caveat here.  You cannot "include" dynamic objects only "exclude".  So depending on how your split VPN tunnel is setup these feature may not help.  For example, we only "include" IP addresses we want VPN users to come back to on-prem for.  All other traffic is sent out.  This helps limit the amount of traffic coming back to on-prem.

Does anyone know if CP plans to address this scenario in the future?

For an "inclusive" encryption domain, you don't use Hub Mode, which is what forces all traffic to route to the gateway.
Whether the dynamic elements of this work or not without Hub Mode enabled is a separate question, but you can certainly list static hosts and networks to "include" in this situation.

Correct, we are using static hosts, the question is around dynamic objects and updateable objects in the "inclusive" split tunnel.  Is that in future plans?

It may already work...have you tried it?
Whether it's supported or not is a separate question, and this may require an RFE with your local Check Point office.

Am curious about the precise use case for this...what dynamic objects do you wish to "include" in your Remote Access encryption domain?

There are various use cases.  Lets say a client site does IP filtering for a portal we use.   We would want to apply that domain name in the RAC vs having to maintain an IP list.   We also might use IP filtering for MS Teams or other applications that have CP Updateable objects etc.

It's funny you mention MS Teams because that's usually an app that people want to exclude from Hub Mode...
Like I said, it may already work.
However, this feature was developed for Hub Mode.

Yes, that makes sense it was developed for Hub Mode.  I think it will get tricky using the inclusive due to the nature of the windows routing table, which is used to control the traffic in a split tunnel.    Once we get to R81.20 we will test some of the functionality out.  The challenge on our side is that we have a lot of secure portals that our users access.  These portals all have IP filters on them.  It becomes a challenge to manage them with destination IP address lists, especially as some of these portals move to AWS etc and don't have a set range of IP addresses.

Hi Dan, Did you find a way to archive that? We are in the same scenario, we want to "include" some cloud-based applications in our RA VPN domain that are filtered by WAF allowing only the egress IP of the GW. At least for now every time that one IP is changed we receive a ticket to update that on our domain and we are looking to automate that.

@PhoneBoy one of our challenges is for example Salesforces

Hi there Roh_oh.  Unfortunately there isn't a way to do this yet.  We face the same issues you are.  I think CP sort of has the logic backwards with the current solution.  Ideally, with a split tunnel the default should be "Internet" and not "on prem".  Only go back to "on prem" for applications/sites that you want.   Our RAC is fairly large these days, and we have a few sites that we cannot get static IP's or network ranges for.   We have worked around by using published MS Edge shortcuts in Citrix.

We are looking at CP Harmony Connect soon, and may route all traffic through this and hopefully will get a range of static IP's that remote sites can then filter on. 

As far as Salesforce, we have a range of IP's for Salesforce, so you might be able to get that range added to your RAC.

Harmony Connect will provide you static IPs for access; they are instance specific and can be obtained from TAC.

Thanks.  That will be great.  Will all customers have the same IP's though?  Or are they unique per customer?

The concept of IP filtering is to ensure that connections are coming from a certain customer etc.

I believe the IPs are per tenant (customer instance) per location.

Now that would be fantastic!   We are going to test it out soon. 

I was very disappointed went I saw your reply message hehe, but then we revived the topic! About Salesforce, in August they started to migrate some clients (Hyperforce) to public cloud-based infra idk if you are using that but take a look.

@PhoneBoy tomorrow I will take a look at Harmony Connect, thanks!

@Roh_oh  - please keep me posted on how things work out for you.   our team here is occupied on some other projects the next few months, but will be doing a full scale eval of Harmony soon.  If we can get the IP filtering and leverage IPS protections etc, it will be a huge win in securing our users when remote and solve the split tunnel issues we face with IP filtering and dynamic objects/sites.

As a workaround, we created a lambda function that updates the IPs using API.

We have considered doing that as well.  Might I ask how its working for you?  Are you using the one on github?

If you could share any details and experience here that would be wonderful.