Dynamic Split Tunneling for SaaS Using Updatable Objects

To control the load on a VPN Gateway, Check Point supports Domain based Dynamic Split Tunneling for Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. in two modes:

  • Exclusion Mode: Specified domains bypass the VPN tunnel.

    Supported on R82 GA.

  • Inclusion Mode: Only specified domains are routed through the VPN tunnel.

    Supported starting R82 Jumbo Hotfix Accumulator Take 36.

Note - You can configure either exclusions_ or inclusions_, but not both. They are mutually exclusive.

Chain of Events:

  1. Administrator configures which services to exclude or include in the Remote Access VPN Tunnel.

  2. The VPN Gateway dynamically fetches the IP addresses of configured services from the Internet, and sends this information to Remote Access VPN clients.

  3. Remote Access VPN clients exclude or include the traffic for these services from / to the Remote Access VPN Tunnel.

Prerequisites

Configuration

To exclude or include SaaS services in a Remote Access VPN tunnel:

Step 1.a: Configure the Remote Access VPN

  1. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server / Domain Management Server that manages this Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

  2. Configure Remote Access VPN.

    See Getting Started with Remote Access.

  3. Configure a dedicated encryption domain for Remote Access VPN.

    See Advanced VPN Domain Configuration.

Step 1.b: Configure the VPN Domain

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the Security Gateway / Cluster object:

  3. In the left navigation tree, expand Network Management > VPN Domain.

  4. In the Advanced section, next to Set Specific VPN Domain for Gateway Communities, click Set...

    The Communities Specific VPN Domain window opens.

  5. Select the Remote Access community object.

  6. Click Set...

    The Set Specific VPN Domain for Community window opens.

  7. Click User defined.

  8. Click New > Group > Simple Group.

  9. Give the Simple Group a name.

  10. Click the plus icon ()to add an object to this group.

  11. Click New > Groups > Network Group.

  12. The Name of the Network Group must begin with:

    • For exclusion mode, the name must begin with:

      exclusions_

    • For inclusion mode, the name must begin with:

      inclusions_

    Important:

    • Naming is critical – the system uses this prefix to identify the mode.

    • The group must directly contains only these object types:

      • Updatable objects

      • Dynamic objects

      • Domain objects

      Nested groups are not supported, even if the nested group contains only allowed object types.

  13. Add the applicable Updatable, Dynamic, or Domain objects (e.g. your SaaS application) directly to the group that starts with exclusions_ or inclusions_.

  14. Click OK.

  15. Click OK to save the Simple Group settings.

  16. From the drop-down menu, select the Simple Group object you created in step 8.

  17. Click OK.

  18. Click OK to save the Communities Specific VPN Domain settings.

  19. Click OK to save the Security Gateway / Cluster object settings.

  20. In SmartConsole, publish the changes and install the Access Control Policy on the Security Gateway / Cluster.

To enable the feature on the Remote Access VPN client, do one of these:

    1. Connect to the command line on the Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster..

    2. Log in to the Expert mode.

    3. Back up the current $FWDIR/conf/trac_client_1.ttm file:

      cp -v $FWDIR/conf/trac_client_1.ttm{,_BKP}

    4. Edit the current $FWDIR/conf/trac_client_1.ttm file:

      vi $FWDIR/conf/trac_client_1.ttm

    5. In the main parameter "trac_client_1", add the new parameter "split_tunnel" as appears below:

      Copy 
      (
          :trac_client_1 (
              :split_tunnel (
                  :gateway (
                      :default (true)
                  )
              )

              :<other_parameters> (
              ... ...
              )
          )
      )

    6. Save the changes in the file and exit the editor.

    7. In SmartConsole, install the Access Control policy on the Security Gateway / Cluster Object.

    The feature is available on the VPN client after the administrator makes a new connection between the Security Gateway and a Remote Access VPN tunnel.

  		•

    Note - For information on how to prepare an installation package with the VPN Configuration Utility, see sk122574.

    1. Go to the VPN client installation directory:

      Operating System

      Default Path

      Windows OS 32-bit

      One of these:

      • %ProgramFiles%\CheckPoint\Endpoint Security\Endpoint Connect\

      • %ProgramFiles%\CheckPoint\Endpoint Connect\

      Windows OS 64-bit

      One of these:

      • %ProgramFiles(x86)%\CheckPoint\Endpoint Security\Endpoint Connect\

      • %ProgramFiles(x86)%\CheckPoint\Endpoint Connect\

      macOS

      /Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/

    2. Create a copy of the current trac.defaults file.

    3. Edit the current trac.defaults file with an advanced plain-text editor (such as Notepad++, UltraEdit, PSPad).

    4. Configure the value of the "split_tunnel" parameter to "true":

      split_tunnel        STRING        true        GW_USER    0

      Important - Do not change other predefined strings in this line - "STRING", "GW_USER", and "0".

    5. Save your changes and close the file.

    6. Restart the computer with the VPN client installed.

    The VPN client starts to exclude SaaS services the next time it creates a new Remote Access VPN tunnel to the Security Gateway.