Dynamic Split Tunneling for SaaS Using Updatable Objects
To decrease load on a VPN Gateway, you can exclude traffic for SaaS from your Remote Access VPN
An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. Tunnel in Hub Mode.
Chain of Events:
-
Administrator configures which services to exclude from the Remote Access VPN Tunnel.
-
The VPN Gateway dynamically fetches the IP addresses of configured services from the Internet, and sends this information to Remote Access VPN clients.
-
Remote Access VPN clients exclude traffic for these services from the Remote Access VPN Tunnel.
Prerequisites
This feature requires:
-
Security Management Server
Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. - version R81.20 or higher -
Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. - version R81.20 or higher -
Remote Access VPN clients for Windows OS - version E86.20 or higher.
Configuration
To exclude SaaS services from a Remote Access VPN tunnel in Hub mode:
Step 1 - Configure the settings in SmartConsole
-
Connect with SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. / Domain Management Server that manages this Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.. -
Configure Remote Access VPN.
-
Configure Hub Mode.
-
Configure a dedicated encryption domain for Remote Access VPN.
-
From the left navigation panel, click Gateways & Servers.
-
Open the Security Gateway / Cluster object:
-
In the left navigation tree, click Network Management > VPN Domain.
-
Select User defined.
-
In the Encryption Domain field, select the Group object you configured for the Remote Access VPN community.
-
In this Group object, add a nested Simple Group object with a name that begins with:
exclusions_
Important - Dynamic Split Tunneling uses this nested group. Therefore, this Simple Group object can include objects only from these types: Updatable, Dynamic, or Domain.
-
Add the applicable object for your SaaS to this nested group.
-
Click OK.
-
-
In SmartConsole, install the Access Control Policy on the Security Gateway / Cluster object.
Step 2 - Configure the required settings in the Remote Access VPN client
To enable the feature on the Remote Access VPN client, do one of these:
-
Edit the '$FWDIR/conf/trac_client_1.ttm' file on the Security Gateway
-
Connect to the command line on the Security Gateway / each Cluster Member
Security Gateway that is part of a cluster.. -
Log in to the Expert mode.
-
Back up the current $FWDIR/conf/trac_client_1.ttm file:
cp -v $FWDIR/conf/trac_client_1.ttm{,_BKP} -
Edit the current $FWDIR/conf/trac_client_1.ttm file:
vi $FWDIR/conf/trac_client_1.ttm -
In the main parameter "trac_client_1", add the new parameter "split_tunnel" as appears below:
Copy(
:trac_client_1 (
:split_tunnel (
:gateway (
:default (true)
)
)
:<other_parameters> (
... ...
)
)
) -
Save the changes in the file and exit the editor.
-
In SmartConsole, install the Access Control policy on the Security Gateway / Cluster Object.
The feature is available on the VPN client after the administrator makes a new connection between the Security Gateway and a Remote Access VPN tunnel.
-
-
Edit the 'trac.defaults' file on the VPN client (located in the VPN client's installation folder)
Note - For information on how to prepare an installation package with the VPN Configuration Utility, see sk122574.
-
Go to the VPN client installation directory:
Operating System
Default Path
Windows OS 32-bit
One of these:
-
%ProgramFiles%\CheckPoint\Endpoint Security\Endpoint Connect\ -
%ProgramFiles%\CheckPoint\Endpoint Connect\
Windows OS 64-bit
One of these:
-
%ProgramFiles(x86)%\CheckPoint\Endpoint Security\Endpoint Connect\ -
%ProgramFiles(x86)%\CheckPoint\Endpoint Connect\
macOS
/Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/ -
-
Create a copy of the current trac.defaults file.
-
Edit the current trac.defaults file with an advanced plain-text editor (such as Notepad++, UltraEdit, PSPad).
-
Configure the value of the "
split_tunnel" parameter to "true":split_tunnel STRING true GW_USER 0
Important - Do not change other predefined strings in this line - "
STRING", "GW_USER", and "0". -
Save your changes and close the file.
-
Restart the computer with the VPN client installed.
The VPN client starts to exclude SaaS services the next time it creates a new Remote Access VPN tunnel to the Security Gateway.
-