Thanks Andy. So the routes would override (take precedence) over the split tunnel config? If I exclude 192.168.0.0/24 in split tunnel, but then add a route for the same network, it would work? 

It seems a bit counter-intuitive, as that would tell the clients, hey listen, 192.168.0.0/24 is excluded in split tunnel so you can reach your local printer without going through the VPN, but hey, here is a route for 192.168.0.0/24 that sends traffic into the VPN...

In a "classical" network, the locally connected subnet would have a lower metric, so it would always be routed locally, but I am not sure with this one. 

I believe thats what the option of "include" and "exclude" is for within the split tunneling setting in sase portal. I dont have access to it atm, but will check it tomorrow and confirm.

I get what you are saying about the routes, its 100% true that in classic network, locally connected subnet would have lower metric.

Andy

I found screenshot I took of it last week. Based on this, Im pretty sure that with full tunnel, EVERYTHING would be routed through the tunnel itself (SASE)

Andy

Thanks Andy. So I guess the correct steps would be:

* Exclude local networks in Split Tuneling
* Add routes to these networks in routing config, pointing to tunnel interfaces

I am going to play around with this a bit.

I will check how my colleague and I did it for the customer, but that sounds 100% right. Give me about an hour brother.

Andy

You got it, I just confirmed, though I had a gut feeling thats how it was. I also included post I made about route based tunnels explaining all this and also couple screenshots to help you out. MAKE SURE peer in VTI settings is same as interoperable object, otherwise, it wont work. If you need remote session, happy to help. There is also text file my colleague and I put together few years ago I attached in that post, it lists step by step as far as Azure config.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

 P.S. I feel this is important to say...we usually pick UNNUMBERED vti, because this customer uses BGP, but even if someone does not, it would still work, This is somewhat relevant, because some people may "freak out" in such case, when you get interface without topology, you will see vti with EXACT same IP address as interfact it "hangs" off, but its totally NORMAL.

Anyway, thats all I can think of for now mate 🙂

Hey Andy, thanks for confirming 🍻  But I think the article/screenshots are related to Gateway/Firewall, not SASE 🙂  But I get the gist of it. Cheers!

Yes, I know, thats on Gaia side, cause on SASE end, all you need to do is make sure you correctly indicate include/exclude options and also networks tab. There is no, per se, routing config you modify.

Andy

Hm ok, that kind of puts me back to square one (pardon me, I am slow :D). If all I do is the exclusion, then I still have the problem that once excluded, Site 1 can't talk to Site 2 (and vice versa), as both networks are excluded from the tunnel. 

There is a routing config in SASE. It allows me to specify a destination network and the tunnel traffic should flow through. 

All good mate, its fairly new to all of us. I cant find anything about it, UNLESS below is what you meant?

Andy

Not quite, but this:

There is a routing table. I think this is what I need. It auto-populated for another site that is using the Linux connector rather than an IPSec tunnel. 

100% thats what you need, sorry, I was looking at the wrong place, apologies.

Andy

@cryptochrome For the context, in case this may help someone else, this is where it is in the portal.

Andy

Updated screencap 🙂