This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sky
Participant
‎2020-03-27 06:14 PM

Split tunnel to Microsoft Office 365 / YouTube / or other services based on FQDNs

Hi all,

Is it actually possible to configure VPN RA in the default mode (split tunnel) but adding to the unsecured way the cloud services or anything else based on FQDN? 

I am thinking of the R80.30 actually. I see Cisco called it Dynamic Split Tunneling and it seems it is something handled from their side.  Is Checkpoint able to do the same in this moment?

Thanks to anybody for the feed backs in advance.

 

Regards,

A    

0 Kudos
5 Replies
Vladimir
Champion
Champion
‎2020-03-28 06:43 AM

Perhaps I am not reading your question right, but this is what should be happening by default:

When split tunnel is enabled, all traffic NOT addressed to the "Remote Access encryption domain" gateway's object  properties should go via "Unsecured" channel regardless, so there is no need to define the O365, Youtube, etc. Dynamic objects for RA VPN policy.

 

Sky
Participant
‎2020-03-28 07:13 AM
In response to Vladimir

Thank you Vladimir for your reply.
Actually I might have not expressed myself clear. 

I will try the other way around, I need to pass all traffic to the GW except for the cloud based and intensive bandwidth (YouTube and similar services). Since the IP addresses changes for those services, would be great to use domains (FQDN).

Cisco has Dynamic Split Tunneling using FQDN as an attribute. Does checkpoint has something similar in this moment or if not, do they have this on their road-map anytime soon?

Sorry for the confusing first post, I hope this is more clear on what the achievement is.

 

Regards! 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-28 12:36 PM

I think what you're trying to do is "route all traffic" over VPN but not for things like O365.
The encryption domain (what controls what is sent over the VPN) is fixed and doesn't support things like Updatable Objects or definition by FQDN.
I recommend engaging with your local Check Point office regarding this.
0 Kudos
Cyber_Serge
Collaborator
‎2020-03-28 01:36 PM
In response to PhoneBoy

I had similar question too. Looking at some old thread:
https://community.checkpoint.com/t5/Remote-Access-Solutions/Split-Tunnel/td-p/34675

 

I guess Check Point setting is to enabled split tunneling by choosing not to route all traffic to gateway. Then define which specific traffic need to be in the tunnel? (Thus, excluding other traffic such as Offie365....etc?)

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-28 02:24 PM
In response to Cyber_Serge

My opinion: it's better to do whatever kind of filtering/logging you wish to do on the traffic at the client rather than route everything back to a central point to do it.
That will provide better protection/visibility in the long run.

I believe this is something we are working on as part of SandBlast Agent.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events