CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 2 of 2

Thread: Split Tunnel Concept in Checkpoint Firewall

  1. #1
    Join Date
    Rep Power

    Default Split Tunnel Concept in Checkpoint Firewall

    I wish to understand how checkpoint firewall handles DNS query

    we have configured DNS servers on checkpoint as which is public DNS server.

    And we have DHCP server configured for internal DNS server.

    Now when a client behind gateway will try to open Google which DNS server will respong to this query.

    Thanks for your help appreciated in advance.

  2. #2
    Join Date
    Rep Power

    Default Re: Split Tunnel Concept in Checkpoint Firewall

    Check Point Gateways only respond to DNS queries in two specific circumstances

    1.) Running ISP Redundnacy with DNS Proxy
    2.) Using Check Point GO Sticks in what is now considered legacy configuration, where hands off the request to it's configured DNS Servers.

    As such PC's Servers etc in the Internal Networks will not get a DNS query response from the Check Point Gateway.

    Internal PC / Servers should point at your Internal DNS which should handle DNS requests, if it cannot resolve then should be configured with either forwarders or be able to hand off to Public DNS Servers to resolve.

    Split Tunnel is usually related to Remote Access Tunnels, however is more related to wether tunnel all traffic down the VPN Tunnel or only send traffic down the tunnel that is destined for the Encryption Domain. However the Check Point Gateway itself is not involved in the DNS resolution.

    If using SecuRemote then can defined SecuRemote DNS Servers which can be configured and the VPN Client will use those to resolve, if is for a Domain specified in there configuration.
    If using one of the licensed VPN Clients then the Office Mode can be used to specify DNS Servers.

    With neither SecuRemote/Office Mode does the Check Point Gateway however actually get involved in the DNS queries.

    Apologies if completely misunderstood your question.

Similar Threads

    By gbollyd in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 4
    Last Post: 2011-09-21, 09:10
  2. Partially overlapping (RAS) VPN Domains, concept questions
    By warriar in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2010-08-30, 02:30
  3. non split tunnel vpn
    By weichunxia in forum SecureClient/SecuRemote
    Replies: 5
    Last Post: 2008-11-19, 10:05
  4. split tunnel question
    By karimi in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2006-09-13, 08:13
  5. Disable Split Tunnel
    By elvinmj in forum SecureClient/SecuRemote
    Replies: 2
    Last Post: 2006-08-14, 03:52


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts