This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Juan_Karlo_Cris
Explorer
‎2018-06-27 09:09 PM
Jump to solution

Split Tunnel

Hi Everyone,

Can someone help how to do split tunnel. I want to force the traffic of the VPN user to use their local internet provider when connected to the VPN tunnel so it will not consume the bandwidth of the company.

Thanks

3 Solutions

Accepted Solutions
Pedro_Espindola
Advisor
‎2018-06-29 08:05 AM
Jump to solution

Hello Juan,

The configuration is done in Global Properties. It is enabled by default. Configure the option "Route all traffic to gateway" to "No".

You can also set it to "Configured on endpoint client", so the user can route everything through gateway to be safer when needed.

Configure split tunnel

View solution in original post

Sanjay_S
Advisor
‎2021-04-15 06:00 AM
In response to PointOfChecking
Jump to solution

Hi AndreiR,

You just need to add the new subnet in the VPN Domain.

View solution in original post

Chris_Atkinson
Employee Employee
Employee
‎2022-09-20 04:06 PM
In response to alancw
Jump to solution

Have you reviewed sk167000 for your use case?

CCSM R77/R80/ELITE

View solution in original post

(1)
20 Replies
Houssameddine_1
Collaborator
‎2018-06-28 07:01 AM
Jump to solution

Split tunneling is enabled by default. you don't have to do anything.

Gaurav_Pandya
Advisor
‎2018-06-29 05:09 AM
Jump to solution

Yeah Correct. Split tunneling is enabled by default for remote VPN users. You need to enable setting if you don't want split tunneling but by default it is enabled.

Pedro_Espindola
Advisor
‎2018-06-29 08:05 AM
Jump to solution

Hello Juan,

The configuration is done in Global Properties. It is enabled by default. Configure the option "Route all traffic to gateway" to "No".

You can also set it to "Configured on endpoint client", so the user can route everything through gateway to be safer when needed.

Configure split tunnel

Sanjay_S
Advisor
‎2020-06-02 02:08 AM
In response to Pedro_Espindola
Jump to solution

Hi All,

How to add a route in the routing table of the Remote Access VPN user?
0 Kudos
AndreiR
Employee Alumnus
Employee Alumnus
‎2020-06-02 01:48 PM
In response to Sanjay_S
Jump to solution

Hi Sanjay_S,

What's your final goal: to forward traffic to encryption domain or to exclude some traffic from encryption domain?

Are you working in hub mode when all traffic is routed to gateway or in regular mode (split tunnel) when non-encryption domain traffic is not routed to gateway?

Sanjay_S
Advisor
‎2020-06-03 12:51 AM
In response to AndreiR
Jump to solution

Hi AndreiR,
We are using Split tunnel mode. My goal is to add an additional subnet in the route table of the user machine when connected to Checkpoint endpoint security for a subnet and that should be routed towards Gateway.
0 Kudos
AndreiR
Employee Alumnus
Employee Alumnus
‎2020-06-05 10:56 AM
In response to Sanjay_S
Jump to solution

Hi @Sanjay_S ,

You may manually define VPN domain. Open Smart Console, open properties for specific gateway, go to Network Management –> VPN Domain. There you can select "Manual defined" and specify VPN domain using predefined network objects.

Hope that helps.

Itops
Explorer
‎2020-10-29 07:58 AM
In response to AndreiR
Jump to solution

if im using splittunnel setup and i would like to have the same rules, that is: a user should not have access to socialmedia when he is at the office and also when he is using splittunnel vpn. what do you suggest in this case?

0 Kudos
PointOfChecking
Collaborator
‎2021-04-15 02:50 AM
In response to AndreiR
Jump to solution

I also want to do this.  I do not want to enable hub mode, but want to add additional subnet range of a 3rd party website.

I added the external range to my VPN Domain, but still no luck.

I don't even see any blocked packets in the Logs (either before or after the change).

Please help.

 

0 Kudos
Sanjay_S
Advisor
‎2021-04-15 06:00 AM
In response to PointOfChecking
Jump to solution

Hi AndreiR,

You just need to add the new subnet in the VPN Domain.

PointOfChecking
Collaborator
‎2021-04-15 06:17 AM
In response to Sanjay_S
Jump to solution

Thanks! That's worked!!  I changed the wrong object at first.

 

 

 

0 Kudos
alancw
Participant
‎2022-09-20 02:21 PM
In response to PointOfChecking
Jump to solution

So at the moment I am routing all traffic to the gateway for my vpn set up. I want to only allow office 365 to break out locally on the endpoint. Do I have to turn off hub mode and select "No" to route all traffic to the gateway and just rely on the vpn domain to route traffic into my gateway. hope that makes sense....

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-09-20 04:06 PM
In response to alancw
Jump to solution

Have you reviewed sk167000 for your use case?

CCSM R77/R80/ELITE
(1)
alancw
Participant
‎2022-09-21 05:12 AM
In response to Chris_Atkinson
Jump to solution

Nice one thanks very much for that Chris. 👍

0 Kudos
alancw
Participant
‎2022-09-21 02:49 PM
In response to Chris_Atkinson
Jump to solution

Hi Chris, I used this SK tonight on our environment but it totally broke traffic going over the remote access vpn for some reason.

The IP Addresses for office 365 did route out the broadband which was all good. But all traffic back to the firewalls did not work.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-09-21 04:14 PM
In response to alancw
Jump to solution

Do you try using ANY and or ALL INTERNET when configuring your group with exclusions?

Other than trying these alternatives I would suggest diagnosing further with the TAC.

CCSM R77/R80/ELITE
0 Kudos
alancw
Participant
‎2022-10-03 03:35 AM
In response to Chris_Atkinson
Jump to solution

Yeah I tried to use "ANY" and I created a "ALL INTERNET" 0.0.0.0/0 to test but i only got some internal subnets working which is really weird. Do you know of any file on the manager that sends out the encryption domain to the client? that contains the subnets to encrypt?

thanks

Alan

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-03 03:45 AM
In response to alancw
Jump to solution

What Endpoint client version is used here?

To further expedite this I would recommend contacting TAC as above. 

CCSM R77/R80/ELITE
0 Kudos
alancw
Participant
‎2023-02-21 02:56 PM
In response to Chris_Atkinson
Jump to solution

Onto TAC now for the last 3 months, with no sign of fixing the issue that I have. has anyone else had this sort of issue before? Was there any way around this?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-02-21 05:14 PM
In response to alancw
Jump to solution

Are you using E87.x or some other client version currently - also how about the Gateway versions involved?

Please share the SR with me via DM and I'll take a look at it's status.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events