Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Split tunnel to Microsoft Office 365 / YouTube / or other services based on FQDNs

Hi all,

Is it actually possible to configure VPN RA in the default mode (split tunnel) but adding to the unsecured way the cloud services or anything else based on FQDN? 

I am thinking of the R80.30 actually. I see Cisco called it Dynamic Split Tunneling and it seems it is something handled from their side.  Is Checkpoint able to do the same in this moment?

Thanks to anybody for the feed backs in advance.

 

Regards,

A    

0 Kudos
5 Replies
Highlighted
Pearl

Perhaps I am not reading your question right, but this is what should be happening by default:

When split tunnel is enabled, all traffic NOT addressed to the "Remote Access encryption domain" gateway's object  properties should go via "Unsecured" channel regardless, so there is no need to define the O365, Youtube, etc. Dynamic objects for RA VPN policy.

 

Highlighted
Ivory

Thank you Vladimir for your reply.
Actually I might have not expressed myself clear. 

I will try the other way around, I need to pass all traffic to the GW except for the cloud based and intensive bandwidth (YouTube and similar services). Since the IP addresses changes for those services, would be great to use domains (FQDN).

Cisco has Dynamic Split Tunneling using FQDN as an attribute. Does checkpoint has something similar in this moment or if not, do they have this on their road-map anytime soon?

Sorry for the confusing first post, I hope this is more clear on what the achievement is.

 

Regards! 

0 Kudos
Highlighted
Admin
Admin

I think what you're trying to do is "route all traffic" over VPN but not for things like O365.
The encryption domain (what controls what is sent over the VPN) is fixed and doesn't support things like Updatable Objects or definition by FQDN.
I recommend engaging with your local Check Point office regarding this.
0 Kudos
Highlighted
Nickel

I had similar question too. Looking at some old thread:
https://community.checkpoint.com/t5/Remote-Access-Solutions/Split-Tunnel/td-p/34675

 

I guess Check Point setting is to enabled split tunneling by choosing not to route all traffic to gateway. Then define which specific traffic need to be in the tunnel? (Thus, excluding other traffic such as Offie365....etc?)

0 Kudos
Highlighted
Admin
Admin

My opinion: it's better to do whatever kind of filtering/logging you wish to do on the traffic at the client rather than route everything back to a central point to do it.
That will provide better protection/visibility in the long run.

I believe this is something we are working on as part of SandBlast Agent.
0 Kudos