Create a Post
Showing results for 
Search instead for 
Did you mean: 

What is the equivalent of Cisco "tunneled" route in Check Point to forward all traffic inbound from a VPN connection, straight to another device?


I want my remote access users/clients to have a different "default route" than the one of the Security Gateway (R80.10). I want a way to tell the Security Gateway to forward all traffic inbound from a VPN connection, straight to another device.

In Cisco's world, you can achieve this with a "tunneled" route :

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example - Cisco 

This document describes how to configure the Adaptive Security Appliance (ASA) to route the SSL VPN traffic through the tunneled default gateway (TDG). When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes is sent to this route. For traffic emerging from a tunnel, this route overrides any other configured or learned default routes.

How can this be done with R80.10 using a VS on a VSX in VSLS mode?

Please see attached diagram for more info.

Note : I wanted to use Policy-Based Routing, but it doesn't seem to be available with my setup based on the following document from Check Point : Policy-Based Routing (PBR) on Gaia OS 

0 Kudos
3 Replies

I don't believe it is possible to do this, but I could be wrong.

What is the actual problem you're trying to solve (i.e. why are you trying to forward all VPN traffic to a specific nexthop)?

0 Kudos

There is already a Virtual System (VS) in place, on a VSX in VSLS, running R80.10. This VS is providing Internet access to internal users and is running the following blades:

  • Firewall
  • Application Control
  • URL Filtering
  • Identity Awareness
  • Monitoring
  • IPS
  • Anti-Bot
  • Anti-Virus

We now have to provide remote access to approximately 150 concurrent remote users and site-to-site VPN to approximately 5 to 10 remote sites.

Remote users need to access internal services and to browse the Internet while being filtering just like the internal users.

There are approximately 6000 internal users.

I'm looking for the best setup. Should I put everything on one VS? Or should I create another one? If I create another one, what services and blades do I put on it?

I didn't find any written references, guidelines, recommandations in the Check Point world, so any help is welcome!

0 Kudos

If you've already got VSX going, adding another "Remote Access" VS seems like a good way to resolve the issue.

All you'd need on that VS would be FW + VPN + Identity Awareness.

That said, that sort of approach is going to cause additional load on your Internet pipe and the gateway, particularly if most of the Remote Access traffic is going to the Internet anyway.

You may want to look into Capsule Cloud, which can enforce the same policy "in the cloud" without routing all your traffic back to your premise.

Both VPN clients can coexist on your client PCs. 

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events