Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dan_Moesch
Contributor
Jump to solution

Split Tunnel dynamic group update

We are running a split tunnel for remote access users.   We send traffic back to the gateway for certain sites that we have IP filtering enabled (security reasons).  This process works well when the destination IP's are known and we are made aware of changes.

We have encountered a few sites that have IP's that are now changing due to cloud load balancers etc.   I am wondering if anyone has ever found a way to automatically update the remote access group?  I would think the firewall could do a dns lookup and update the firewall group via the api?

Before I try and undertake this, I wanted to see if anyone has successfully accomplished something this?

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

From what I understand, you'll be able to include Updatable, Dynamic, or Domain objects as part of this.
In the meantime, you can employ this manual workaround: sk167000.

View solution in original post

(1)
20 Replies
PhoneBoy
Admin
Admin

In R81.20, you’ll have the ability to use updatable objects and the like for the Remote Access encryption domain.
Recommend joining the production EA.

Dan_Moesch
Contributor

That is fantastic news!  Something we have wanted for years!

Will it also support domain objects? Or will it be limited to Checkpoints updatable?

0 Kudos
PhoneBoy
Admin
Admin

From what I understand, you'll be able to include Updatable, Dynamic, or Domain objects as part of this.
In the meantime, you can employ this manual workaround: sk167000.

(1)
Hrvoje_Brlek
Collaborator

@PhoneBoy is this feature indeed implemented in 81.20? 

We are looking to exclude MS Teams subnets out of our VPN encryption domain for remotes users (using Group with Exclusions), and to have it dynamically updatable of course.

0 Kudos
Dan_Moesch
Contributor

There is a caveat here.  You cannot "include" dynamic objects only "exclude".  So depending on how your split VPN tunnel is setup these feature may not help.  For example, we only "include" IP addresses we want VPN users to come back to on-prem for.  All other traffic is sent out.  This helps limit the amount of traffic coming back to on-prem.

Does anyone know if CP plans to address this scenario in the future?

0 Kudos
PhoneBoy
Admin
Admin

For an "inclusive" encryption domain, you don't use Hub Mode, which is what forces all traffic to route to the gateway.
Whether the dynamic elements of this work or not without Hub Mode enabled is a separate question, but you can certainly list static hosts and networks to "include" in this situation.

0 Kudos
Dan_Moesch
Contributor

Correct, we are using static hosts, the question is around dynamic objects and updateable objects in the "inclusive" split tunnel.  Is that in future plans?

0 Kudos
PhoneBoy
Admin
Admin

It may already work...have you tried it?
Whether it's supported or not is a separate question, and this may require an RFE with your local Check Point office.

Am curious about the precise use case for this...what dynamic objects do you wish to "include" in your Remote Access encryption domain?

0 Kudos
Dan_Moesch
Contributor

There are various use cases.  Lets say a client site does IP filtering for a portal we use.   We would want to apply that domain name in the RAC vs having to maintain an IP list.   We also might use IP filtering for MS Teams or other applications that have CP Updateable objects etc.

0 Kudos
PhoneBoy
Admin
Admin

It's funny you mention MS Teams because that's usually an app that people want to exclude from Hub Mode...
Like I said, it may already work.
However, this feature was developed for Hub Mode.

0 Kudos
Dan_Moesch
Contributor

Yes, that makes sense it was developed for Hub Mode.  I think it will get tricky using the inclusive due to the nature of the windows routing table, which is used to control the traffic in a split tunnel.    Once we get to R81.20 we will test some of the functionality out.  The challenge on our side is that we have a lot of secure portals that our users access.  These portals all have IP filters on them.  It becomes a challenge to manage them with destination IP address lists, especially as some of these portals move to AWS etc and don't have a set range of IP addresses.

0 Kudos
Roh_oh
Participant

Hi Dan, Did you find a way to archive that? We are in the same scenario, we want to "include" some cloud-based applications in our RA VPN domain that are filtered by WAF allowing only the egress IP of the GW. At least for now every time that one IP is changed we receive a ticket to update that on our domain and we are looking to automate that.

@PhoneBoy one of our challenges is for example Salesforces

0 Kudos
Dan_Moesch
Contributor

Hi there Roh_oh.  Unfortunately there isn't a way to do this yet.  We face the same issues you are.  I think CP sort of has the logic backwards with the current solution.  Ideally, with a split tunnel the default should be "Internet" and not "on prem".  Only go back to "on prem" for applications/sites that you want.   Our RAC is fairly large these days, and we have a few sites that we cannot get static IP's or network ranges for.   We have worked around by using published MS Edge shortcuts in Citrix.

We are looking at CP Harmony Connect soon, and may route all traffic through this and hopefully will get a range of static IP's that remote sites can then filter on. 

As far as Salesforce, we have a range of IP's for Salesforce, so you might be able to get that range added to your RAC.

0 Kudos
PhoneBoy
Admin
Admin

Harmony Connect will provide you static IPs for access; they are instance specific and can be obtained from TAC.

0 Kudos
Dan_Moesch
Contributor

Thanks.  That will be great.  Will all customers have the same IP's though?  Or are they unique per customer?

The concept of IP filtering is to ensure that connections are coming from a certain customer etc.

0 Kudos
PhoneBoy
Admin
Admin

I believe the IPs are per tenant (customer instance) per location.

0 Kudos
Dan_Moesch
Contributor

Now that would be fantastic!   We are going to test it out soon. 

0 Kudos
Roh_oh
Participant

I was very disappointed went I saw your reply message hehe, but then we revived the topic! About Salesforce, in August they started to migrate some clients (Hyperforce) to public cloud-based infra idk if you are using that but take a look.

@PhoneBoy tomorrow I will take a look at Harmony Connect, thanks!

0 Kudos
Dan_Moesch
Contributor

@Roh_oh  - please keep me posted on how things work out for you.   our team here is occupied on some other projects the next few months, but will be doing a full scale eval of Harmony soon.  If we can get the IP filtering and leverage IPS protections etc, it will be a huge win in securing our users when remote and solve the split tunnel issues we face with IP filtering and dynamic objects/sites.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events