Managing a Network

Editing a Network

  1. Access the Check Point SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click and then click Edit Network.

    The Edit Network window appears.

  4. Make the required changes and click Save.

Adding Regions

  1. Access the Check Point SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click and then click Add Regions.

    The Add Region window appears.

  4. From the Region list, select the region to deploy the Check Point SASE gateway.

  5. In the Number of Gateways field, enter the number of private gateways you want to deploy in the region.

  6. To add another region, click Add Region and repeat steps 4 and 5.

  7. To activate the gateway for users, select the Activate Gateways For Users checkbox.

  8. Click Add Region.

Managing Access

Manage Access allows you to select the member groups who can access the network.

To manage access to a network:

  1. Access the Check Point SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click and then click Manage Access.

    The Manage Access window appears.

  4. From the list, select the member groups who can access the network.

  5. To remove a member group, click Remove.

  6. Click Apply.

Firewall Rules

Firewall Rules allows you to set the firewall access rules for your network.

To set the rules, see Creating a Firewall Access Rule.

Split Tunneling

Split tunneling allows you to choose which traffic passes through the tunnel and which traffic bypasses the tunnel and accesses the resource directly.

Private network traffic is always tunneled through the cloud, based on your network tunnels and routing table settings.

You can specify additional destinations to route through the Check Point SASE cloud (for example, public resources that require inspection) or to bypass the tunnel.

Notes:

  • Split tunneling by FQDN is supported only for Check Point SASE Agents 10.1.x and higher. With older agent versions, split tunneling by FQDN is ignored and reverts to full tunneling.

  • The recommended setting is not to tunnel traffic internet through the cloud to minimize latency while keeping connectivity to private resources.

To configure split tunneling for a network:

  1. Access the Check Point SASE Administrator Portal and click Networks.

  2. Select your network.

  3. Click and then click Split Tunneling.

    The Hybrid SASE Settings window appears.

  4. Select one of these:

    • Tunnel all internet traffic: Routes all internet traffic through SASE, except the destinations you specify. These destinations bypass the tunnel

    • Do not tunnel any traffic: Routes only private network traffic through SASE. Internet traffic is sent directly to the internet, except the destinations you specify. These destinations are tunneled.

  5. In the Except for the Following Destinations, search for objects.

  6. In All Exceptions, select the required objects:

    1. Assigned: Displays the objects currently selected for this network.

    2. Subnet: Select subnet-based destination objects.
      When Do not tunnel internet traffic is selected, you can choose:

      • Included – Routes the selected subnets through the tunnel

      • Excluded – Routes the selected subnets outside the tunnel

        Note -

        • The system validates excluded subnets against the included subnets list.

        • Excluded subnets must be part of the included subnets.

        • An administrator cannot add excluded subnets that are not included.

        • The Included and Excluded options are available only for subnet-based destinations. In Tunnel all internet traffic, all specified destinations are automatically excluded.

    3. IP: Select individual IP address objects.

    4. List: Select predefined lists that contain multiple IPs, subnets, or FQDNs.

    5. FQDN: Select fully qualified domain name (FQDN) objects for domain-based split tunneling rules.
      For more information on creating Subnet, IP, List, and FQDN objects, see Addresses.

    6. Updatable Objects: Select dynamic object groups that automatically update their IP ranges.
      For more information, see Updatable Objects.
      Note - Microsoft Azure services, Amazon Web Services (AWS), and Geolocation-based Updatable Objects are not supported for Split Tunneling.

  7. Verify the selected objects under the Assigned tab.

  8. Click Apply Changes.

    Note - The processing time depends on the system resource. It takes up to 3 seconds for every 500 subnets.

Private DNS

Private DNS lets the network resolve hostnames through configured DNS servers instead of public resolvers. Configure Private DNS at two scopes:

  • Network - Applies to all regions in the network.

  • Region - Overrides the network-wide settings for agents connected to that region.

Open the panel from the network or region. The title reads Manage Network Private DNS or Manage Region Private DNS accordingly. Turn on Use Private DNS Servers to enable the rest of the panel.

  • Network-level Private DNS and regional Private DNS can be used at the same time.

  • Regional DNS overrides network-level Private DNS for that region. If no regional DNS exists, network-level Private DNS applies.

What you can configure

  • Choose which DNS queries are sent to the private DNS servers - either all queries, or only the domains in the list.

  • Add domains as exact names (mysite.acme.com) or wildcards (*.acme.org), up to 100 entries.

  • Decide whether queries that fail on the private servers fall back to public DNS or are returned as a failure to the client.

  • Define up to 4 private DNS servers (IPv4 and port).

  • Add optional Search Domains that agents append to short hostnames.

Resolution modes

Mode

What it Does

When to Use

Specify Private Domains

Only DNS queries that match a domain in the list are forwarded to the private DNS servers. All other queries go directly to public DNS.

Route only internal or corporate domains through the private servers. All other queries go directly to the internet.

All Domains

Every DNS query is forwarded to the private DNS servers. If a query fails, the agent falls back to public DNS.

Have the private DNS servers answer every query the network handles.

Adding private domains

In Specify Private Domains mode, use the Add Private Domains field to list the domains resolved through the private servers. Enter a domain and press Enter. Entered domains appear as chips and can be removed with the × next to each chip.

Pattern

Matches

mysite.acme.com

The exact host. Subdomains are not matched.

*.acme.com

Any subdomain of acme.com (for example, mysite.acme.com or mail.eu.acme.com). The bare apex acme.com is not matched — add it explicitly if you need it.

*.mysite.acme.com

Any subdomain of mysite.acme.com.

The list accepts up to 100 domains and requires at least one entry. If the list is empty, the panel shows At least one domain is required and Apply is disabled.

Public DNS fallback

The Use Public DNS Servers on Failure checkbox controls what happens when the private DNS servers fail to answer a query (timeout, SERVFAIL, REFUSED, or NXDOMAIN).

  • In Specify Private Domains mode, the checkbox is editable:

    • Off - Failures from the private servers are returned to the client. The query is not retried against public DNS, so internal domain names are not exposed to public resolvers.

    • On - If the private servers fail, the agent retries the query against public DNS.

  • In All Domains mode, the checkbox is selected and locked. Any query that fails on the private servers is automatically retried against public DNS.

Note - In Specify Private Domains mode, leave Use Public DNS Servers on Failure off to prevent internal domain names from leaking to public resolvers. This is recommended once the domain list is curated.

Private DNS servers

Add up to 4 private DNS servers. For each server, enter an IPv4 address in Server IP Address and select a Port (default Standard (53)). Click + Add Server IP Address to add more entries. At least one server is required.

Note - Do not use public DNS resolvers (such as 8.8.8.8, 8.8.4.4, 1.1.1.1, or 1.0.0.1) as private DNS servers. If the DNS server does not have a public IP address, reach it through an IPSec or WireGuard tunnel.

(Optional) Search domains

Add suffixes that agents append when resolving short hostnames. Search domains apply in both resolution modes. Click + Add Search Domain to add more entries.

Configure private DNS

  1. Access the Check Point SASE Administrator Portaland click Networks.

  2. Select the network. To configure Private DNS for a single region, open that region instead.

  3. To add a Private DNS.

    • For a network, click and then click Private DNS.

    • For a region, in the Regions section, click ⋮ and then click Regional Private DNS.

    The Manage Network Private DNS for networks and Manage Region Private DNS for regions popup appears.

  4. Turn on Use Private DNS Servers.

  5. Select a resolution mode:

    • Specify Private Domains - Add at least one domain (exact or wildcard) to Add Private Domains.

    • All Domains - No domain list is needed. Every query is forwarded to the private servers.

  6. Set Use Public DNS Servers on Failure as required. The checkbox is locked on in All Domains mode.

  7. Add up to 4 private DNS servers (Server IP Address and Port).

  8. (Optional) Add Search Domains.

  9. Click Apply and wait for the configuration to deploy.

DNS Filtering

DNS Filtering allows you to manage internet access for members in your network by blocking or allowing websites using allow-list and block-list.

Best Practices -

  • Make sure that you have the list of URLs to block and allow.

  • Make sure that the DNS filter settings work as expected.

00:00: 00:05: DNS filtering allows you to manage internet access in your network by 00:09: blocking or allowing specific domains or domain categories. 00:12: This video shows how to enable DNS filtering in your network. 00:18: Log in to checkpoint Infinity Portal and access Harmony sass. 00:23: Go to networks and select your network. 00:26: Click the three dots and then click DNS filtering. 00:29: Turn on the enabled DNS filter toggle button. 00:32: From the blocked domain categories list select the domain categories you want 00:36: to block? 00:37: In the blocked domains field enter the domains you want to block or upload 00:41: a CSV file with the domain list note that the domain you enter follows 00:45: the domain.com format without any prefix such as wwwhttp 00:51: or https prefix. And if you upload a CSV file, 00:55: you can enter a maximum of 1,000 domains. 00:58: In the exclusion list field enter the domains you want to exclude From the Block 01:02: domains and categories or upload a CSV file with the domain 01:06: list. 01:07: Click apply 01:10: Once the settings are applied a tooltip shows that DNS filtering 01:14: is activated in your network. 01:16: Now when a user enters a domain blocked by your DNS filtering settings. 01:21: Access to the page is blocked, and the user gets a warning message. 01:25: Thank you for watching the video. 01:28:

To configure DNS filtering for a network:

  1. Access the Check Point SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click and then click DNS Filtering.

    The DNS Filtering window appears.

  4. Turn on the Enable DNS Filter toggle button.

  5. From the Blocked Domain Categories list, select the website categories you want to block.

  6. In the Blocked Domains field, enter the domains you want to block or upload a .CSV file with the domains.

    Make sure that the .CSV file:

    • Contains all the entries in a single column.

    • Each cell contain only one entry.

    • The number of entries does not exceed 1000.

    • Each entry is in the form domain.com, without www, HTTP, HTTPs prefixes.

    Note - When you block a domain, the system blocks the related sub-domains as well.

  7. In the Exclusion list field, enter the URLs you want to exempt from the blocked domains list or upload a .CSV file with the domains.

  8. Click Apply.

    After the settings are applied, a tooltip shows that DNS filtering is activated in your network.

    The changes are enforced the next time when the member connects to your network using the Check Point SASE Agent.

Routes Table

Routes Table shows the routes created for the tunnels in your network.

To add a new route to a tunnel in your network:

  1. Access the Check Point SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click at the right end of the network and then select Routes Table.

  4. Click Add Route.

  5. Enter all the subnets on the remote side of the tunnel and then click Add Route.

    For cloud-based resources, enter these values for your vendor.

    Tunnel Type

    Subnets

    Amazon AWS

    AWS Single Tunnel - Transit Gateway

    CIDRs of the attached VPCs (The VPCs to which you want to gain access)

    AWS Single Tunnel - Virtual Gateway

    Subnets you want to reach on the AWS side of the tunnel.

    AWS Redundant Tunnels - Transit Gateway

    Subnets you want to reach on the AWS side of the tunnel.

    Note - Ensure that the added route matches the route transmitted by BGP. Any discrepancies, such as incorrect subnetting or supernetting, are strictly prohibited.

    AWS Redundant Tunnels - Virtual Private Gateway

    Google Cloud Platform

    Single Tunnel

    From the GCP console, copy the subnets of the regions where your resources are installed.

    Redundant Tunnels

    Microsoft Azure

    Single Tunnel -

    Virtual Network Gateway

    Subnets of the regions where your resources are installed.

    Redundant Tunnels - Virtual Network Gateway

    Redundant Tunnels - Virtual WAN

  6. Click Apply Configuration.

Deleting a Network

  1. Access the Check Point SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click and then click Delete Network.

  4. Click Delete.