Dynamic Split Tunneling for SaaS Using Updatable Objects

To control the load on a VPN Gateway, Check Point supports Domain based Dynamic Split Tunneling for Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. in two modes:

  • Exclusion Mode: Specified domains bypass the VPN tunnel.

    Supported on R82 GA.

  • Inclusion Mode: Only specified domains are routed through the VPN tunnel.

    Supported starting R82 Jumbo Hotfix Accumulator Take 36.

Note - You can configure either exclusions_ or inclusions_, but not both. They are mutually exclusive.

Chain of Events:

  1. Administrator configures which services to exclude or include in the Remote Access VPN Tunnel.

  2. The VPN Gateway dynamically fetches the IP addresses of configured services from the Internet, and sends this information to Remote Access VPN clients.

  3. Remote Access VPN clients exclude or include the traffic for these services from / to the Remote Access VPN Tunnel.

Prerequisites

Configuration

To exclude or include SaaS services in a Remote Access VPN tunnel:

Step 1.a: Configure the Remote Access VPN

  1. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server / Domain Management Server that manages this Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

  2. Configure Remote Access VPN.

    See Getting Started with Remote Access.

  3. For exclusion mode, configure Hub Mode:

    See Hub Mode (VPN Routing for Remote Clients)

Step 1.b: Configure the group for exclusion / inclusion

  1. In the Object Explorer on the right panel, click New > Network Group. The New Network Group window opens.

  2. Give the group a name. This group contains the exclude or include group.

  3. Click the plus () icon to add an object to this group. The add object window opens.

  4. Click the New () icon and select GroupsNetwork Group.

  5. The Name of the Network Group must begin with:

    • For exclusion mode, the name must begin with:

      exclusions_

    • For inclusion mode, the name must begin with:

      inclusions_

    Important:

    • Naming is critical – the system uses this prefix to identify the mode.

    • The group must directly contain only these object types:

      • Updatable objects

      • Dynamic objects

      • Domain objects

      Nested groups are not supported, even if the nested group contains only allowed object types.

  6. Add the applicable Updatable, Dynamic, or Domain objects (e.g., your SaaS application) directly to the group that starts with exclusions_ or inclusions_.

  7. Click OK to save the group.

  8. Click OK to save the first group.

Step 1.c: Configure the VPN domain

  1. In SmartConsole > Objects menu > Object Explorer, click VPN Communities.

  2. Double-click the Remote Access community object.

  3. In the Participating Gateways tab, click the plus () icon to add a new Security Gateway / Cluster to the community, or double-click an existing Gateway. The VPN Configuration for the Security Gateway / Cluster opens.

  4. Below VPN Domain, check Override, and select the group you created in Step 1.b.2.

  5. Click OK to save the VPN domain.

  6. Click OK to save the Remote Access community settings.

  7. In SmartConsole, publish the changes and install the Access Control Policy on the Security Gateway / Cluster.

To enable the feature on the Remote Access VPN client, do one of these:

    1. Connect to the command line on the Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster..

    2. Log in to the Expert mode.

    3. Back up the current $FWDIR/conf/trac_client_1.ttm file:

      cp -v $FWDIR/conf/trac_client_1.ttm{,_BKP}

    4. Edit the current $FWDIR/conf/trac_client_1.ttm file:

      vi $FWDIR/conf/trac_client_1.ttm

    5. In the main parameter "trac_client_1", add the new parameter "split_tunnel" as appears below:

      Copy 
      (
          :trac_client_1 (
              :split_tunnel (
                  :gateway (
                      :default (true)
                  )
              )

              :<other_parameters> (
              ... ...
              )
          )
      )

    6. Save the changes in the file and exit the editor.

    7. In SmartConsole, install the Access Control policy on the Security Gateway / Cluster Object.

    The feature is available on the VPN client after the administrator makes a new connection between the Security Gateway and a Remote Access VPN tunnel.

  		•

    Note - For information on how to prepare an installation package with the VPN Configuration Utility, see sk122574.

    1. Go to the VPN client installation directory:

      Operating System

      Default Path

      Windows OS 32-bit

      One of these:

      • %ProgramFiles%\CheckPoint\Endpoint Security\Endpoint Connect\

      • %ProgramFiles%\CheckPoint\Endpoint Connect\

      Windows OS 64-bit

      One of these:

      • %ProgramFiles(x86)%\CheckPoint\Endpoint Security\Endpoint Connect\

      • %ProgramFiles(x86)%\CheckPoint\Endpoint Connect\

      macOS

      /Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/

    2. Create a copy of the current trac.defaults file.

    3. Edit the current trac.defaults file with an advanced plain-text editor (such as Notepad++, UltraEdit, PSPad).

    4. Configure the value of the "split_tunnel" parameter to "true":

      split_tunnel        STRING        true        GW_USER    0

      Important - Do not change other predefined strings in this line - "STRING", "GW_USER", and "0".

    5. Save your changes and close the file.

    6. Restart the computer with the VPN client installed.

    The VPN client starts to exclude SaaS services the next time it creates a new Remote Access VPN tunnel to the Security Gateway.