Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dan_Moesch
Participant
Jump to solution

Split Tunnel dynamic group update

We are running a split tunnel for remote access users.   We send traffic back to the gateway for certain sites that we have IP filtering enabled (security reasons).  This process works well when the destination IP's are known and we are made aware of changes.

We have encountered a few sites that have IP's that are now changing due to cloud load balancers etc.   I am wondering if anyone has ever found a way to automatically update the remote access group?  I would think the firewall could do a dns lookup and update the firewall group via the api?

Before I try and undertake this, I wanted to see if anyone has successfully accomplished something this?

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

From what I understand, you'll be able to include Updatable, Dynamic, or Domain objects as part of this.
In the meantime, you can employ this manual workaround: sk167000.

View solution in original post

(1)
12 Replies
PhoneBoy
Admin
Admin

In R81.20, you’ll have the ability to use updatable objects and the like for the Remote Access encryption domain.
Recommend joining the production EA.

Dan_Moesch
Participant

That is fantastic news!  Something we have wanted for years!

Will it also support domain objects? Or will it be limited to Checkpoints updatable?

0 Kudos
PhoneBoy
Admin
Admin

From what I understand, you'll be able to include Updatable, Dynamic, or Domain objects as part of this.
In the meantime, you can employ this manual workaround: sk167000.

(1)
Hrvoje_Brlek
Contributor

@PhoneBoy is this feature indeed implemented in 81.20? 

We are looking to exclude MS Teams subnets out of our VPN encryption domain for remotes users (using Group with Exclusions), and to have it dynamically updatable of course.

0 Kudos
Dan_Moesch
Participant

There is a caveat here.  You cannot "include" dynamic objects only "exclude".  So depending on how your split VPN tunnel is setup these feature may not help.  For example, we only "include" IP addresses we want VPN users to come back to on-prem for.  All other traffic is sent out.  This helps limit the amount of traffic coming back to on-prem.

Does anyone know if CP plans to address this scenario in the future?

0 Kudos
PhoneBoy
Admin
Admin

For an "inclusive" encryption domain, you don't use Hub Mode, which is what forces all traffic to route to the gateway.
Whether the dynamic elements of this work or not without Hub Mode enabled is a separate question, but you can certainly list static hosts and networks to "include" in this situation.

0 Kudos
Dan_Moesch
Participant

Correct, we are using static hosts, the question is around dynamic objects and updateable objects in the "inclusive" split tunnel.  Is that in future plans?

0 Kudos
PhoneBoy
Admin
Admin

It may already work...have you tried it?
Whether it's supported or not is a separate question, and this may require an RFE with your local Check Point office.

Am curious about the precise use case for this...what dynamic objects do you wish to "include" in your Remote Access encryption domain?

0 Kudos
Dan_Moesch
Participant

There are various use cases.  Lets say a client site does IP filtering for a portal we use.   We would want to apply that domain name in the RAC vs having to maintain an IP list.   We also might use IP filtering for MS Teams or other applications that have CP Updateable objects etc.

0 Kudos
PhoneBoy
Admin
Admin

It's funny you mention MS Teams because that's usually an app that people want to exclude from Hub Mode...
Like I said, it may already work.
However, this feature was developed for Hub Mode.

0 Kudos
Dan_Moesch
Participant

Yes, that makes sense it was developed for Hub Mode.  I think it will get tricky using the inclusive due to the nature of the windows routing table, which is used to control the traffic in a split tunnel.    Once we get to R81.20 we will test some of the functionality out.  The challenge on our side is that we have a lot of secure portals that our users access.  These portals all have IP filters on them.  It becomes a challenge to manage them with destination IP address lists, especially as some of these portals move to AWS etc and don't have a set range of IP addresses.

0 Kudos