This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriNarasimha005
Collaborator
Friday

Dynamic Split Tunneling

Hi All,

We have a checkpoint firewall operating on R82 with remote access VPN functionality activated. We have set up a Full tunnel (Hub mode) with Dynamic Split tunneling (where only a few IP addresses are excluded), utilizing the object-group: exclusions_

Upon examining the route print on the user machine, we observed that a default route has been injected with the mask 252.0.0.0. Consequently, we encountered an issue where, for the proxy solution to recognize the VPN network, it must align with the strict default route of 0.0.0.0 with a mask of 0.0.0.0.

1. What steps are necessary to insert a default route with the mask 0.0.0.0?

2. Given that we have dynamic split tunneling enabled, could this lead to any connectivity problems?

Thank you in advance for your help.

0 Kudos
4 Replies
SriNarasimha005
Collaborator
yesterday

Hi Gents @PhoneBoy @Timothy_Hall 

Hope you're doing well.

I’m currently stuck on this and need some help. Do you have a few minutes to give me your advice?

0 Kudos
PhoneBoy
Admin
Admin
yesterday

I don't believe we ever inject a 0.0.0.0/0.0.0.0 route into the Remote Access client, which means this is likely an RFE.

The only method I know for configuring the routes sent to the client is through the encryption domain or something like https://support.checkpoint.com/results/sk/sk92676 which is not your use case here.
The only method I can think of is to set this route up AFTER connecting with the Remote Access client.

0 Kudos
SriNarasimha005
Collaborator
yesterday
In response to PhoneBoy

Hi @PhoneBoy 

Thank you for your response. The encryption domain is set to 0.0.0.0/0 with few exclusions.

Given that we have several VPN firewalls, implementing a static route may not be effective. Is there a possibility of altering the trac file?

0 Kudos
PhoneBoy
Admin
Admin
8 hours ago
In response to SriNarasimha005

Modify trac to do what, inject a 0.0.0.0/0.0.0.0 route?
Like I said, that's probably an RFE (i.e. not in the product).

The static route I'm referring would have to be done on the client itself.
Nearly 20 years ago, I actually wrote a Windows BAT file that would automate the process of creating a desired route based on what comes back from the VPN gateway: https://phoneboy.com/1405/fun-with-check-point-secureclient-and-windows-batch-files
Whether this still works or not is a separate question.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    In-Person

    Fri 12 Jun 2026 @ 09:00 AM (CEST)

    Netzwerk- & Cloud-Workshop: Wien
    In-Person

    Tue 16 Jun 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    CheckMates Events