- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Just passing this on as we just encountered it.
A request came to add some new IPs to the Encryption Domain so that the traffic would go internally instead of to the internet in the split tunnel configuration. Added new IPs. Oops, those new IPs are used by other apps, put it back the way it was.
A client logged in to the original settings. Then the change with the new IPs, and the client logged in. THEN (last one), the client logged in after the backoff. The client was still going through the internal path (I spent a bunch of time verifying this with audits, etc.)
Problem? The client had cached the path.
Easiest Solution? Delete the site in the VPN client and recreate it.
Or you can delete the trac.config file.
Like I said, just passing it on. I did not find a SK referencing it, so I decided to share it here.
Could you please explain the issue in a bit more detail? It was a little difficult to understand, but from what I understood, you have a Remote Access configuration with split tunneling enabled, intended to ensure that an application with a public IP does not go out through the internet for VPN clients, but instead is accessed through the application’s private IP via the tunnel.
1 – Show this points:
Re-enter the IPs in the VPN domain and push the policy again.
Ask the user to disconnect and reconnect.
Restart the VPN client.
In some cases, restarting the computer may help.
Check whether the client’s computer received the new routes using route print in the command prompt.
Run a tracert to the application from the test user’s machine and verify whether it is going through the tunnel as expected.
Test with other users.
Best Regards
That is not the scenario. The destination is a AWS address. They wanted the AWS connection to pass through internal networks so that it could get a corp public NAT. So they added the IP to the Encryption Domain. That broke others going to the same address for different apps that relied on the internet connection. So, removed the IP from the group defining the encryption domain. That fixed it for many, but a few clients were still trying to go through internal. It was because the client still had the path defined in the previous config. Restarting did not change it. By redoing the site, that cleared it from tracs.config.
Im so glad you posted about this, because I had the same issue with few clients. I really wish I knew in what scenarios deleting and recreating the site would NOT be needed.
Sadly, that appears to be very difficult to know, so I make sure I always let people know that might be needed, so they are aware beforehand.
Out of curiousity, though obviously its AI response, but somewhat interesting...
******************
In Check Point Remote Access VPN (Harmony/Endpoint Security VPN / Mobile / SNX), you do NOT need to delete & re‑create the VPN “site” on the client as long as the change you made on the firewall doesn’t invalidate what the client cached when the site was created (gateway address resolution, trust/fingerprint, and authentication method). [sc1.checkpoint.com], [community….kpoint.com], [community….kpoint.com]
Below are the common change types where re-creating the site is not needed—a disconnect/reconnect (or “Update Topology”) is usually enough.
If you’re only changing what remote users can access (new rules, modified services, rule ordering, VPN column changes, etc.), the client site entry doesn’t need to change—you just install policy and users reconnect. [sc1.checkpoint.com]
Adding/removing gateways in the Remote Access community, changing participating user groups, or changing Identity Awareness / Access Roles that control who gets access are policy-side changes; they do not require rebuilding the site on the endpoint. [sc1.checkpoint.com]
Changing IKE/IPsec proposal preferences (encryption algorithms, integrity, DH group) is normally handled via policy and negotiation; users typically just reconnect after policy install. [sc1.checkpoint.com]
Practical note: users may need to disconnect/reconnect so Phase 1/2 can renegotiate using the new settings. [sc1.checkpoint.com]
When you change things like Office Mode behavior, split-tunnel routes, or similar “site topology” data, Check Point’s own guidance is generally to have users create or update site topology after policy install—not necessarily delete/recreate the site entry. [sc1.checkpoint.com]
The client uses a fingerprint/trust check during site definition/initial connection; if your changes don’t alter what the client expects/trusts (e.g., still anchored the same way), then you typically don’t need to delete/recreate—at most users may see a prompt to verify/accept. [sc1.checkpoint.com]
You usually don’t need to delete/recreate the site if all three are true:
If those hold, changes like policies, groups, and crypto settings generally don’t require site recreation. [sc1.checkpoint.com]
Even though you didn’t ask, this helps draw the boundary:
Try these in order (least disruptive first):
vpn.company.com) or a raw IP? [community….kpoint.com]If you tell me those three, I can give you a precise “no client action / reconnect only / update topology / must recreate” answer for your specific change.
It was actually Grok that said it might be the site's cached material and to recreate it or delete the trac file.
I spent about 3 hours going through LDAP groups, validating objects, auditing changes, and every other thing related to how the VPN was talking to the client. Then to find that the client was stubborn and not listening to what it was told. 😉
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 3 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY