Split Tunneling based on Application Control?

[cdooer]

Hi there. Our company is jumping head first into the cloud, starting with O365. We have a significant user base who connects to HO remotely using the Checkpoint VPN client, and we've been really happy with it. As we migrate to O365 though, I would like to split that traffic out, so that it doesn't come across the VPN, through our Ironport WSA's, and then out to the Internet...but instead simply goes directly out the clients Internet connection.

Obviously, doing this using IP's and subnets is not really practical, since these change randomly on Microsoft's end. I was wondering if I could do the split tunnel based on an Application Control rule? Anyone doing anything like this?

Thx.

[Irek_Romaniuk]

I developed program in Go called 'ochepist' which I use to pull list of i.e. Office 365 IP addresses from provided url and write them to the file in CP dbedit format creating group object (see g-o365 in the example below). Retrieving IPs from url and writing them to dbedit can be automated in cron script on management server (I have 77.30, not R80). I can compile it to any platform , doesn't need to run on management server, just the output has to be transported to dbedit. I will be finished with testing in a few days.

Code:

[Expert@provider1:0]# ./ochepist_linux_386 -url="https://minemeld/feeds/office365_IPv4s" -g="g-o365"
wrote 357258 bytes
[Expert@provider1:0]# head results/g-o365-dbedit.txt 
create network_object_group g-o365
create address_range r104.210.43.160-104.210.43.160
modify network_objects r104.210.43.160-104.210.43.160 ipaddr_first 104.210.43.160
modify network_objects r104.210.43.160-104.210.43.160 ipaddr_last 104.210.43.160
modify network_objects r104.210.43.160-104.210.43.160 comments "Created by ochepist with dbedit"
update network_objects r104.210.43.160-104.210.43.160
addelement network_objects g-o365 '' network_objects:r104.210.43.160-104.210.43.160  
update network_objects g-o365
create address_range r104.41.155.129-104.41.155.129
modify network_objects r104.41.155.129-104.41.155.129 ipaddr_first 104.41.155.129
[Expert@provider1:0]# dbedit -local -globallock -f results/g-o365-dbedit.txt

If that object g-o365 is part of VPN group then it will update split tunneling accordingly after policy is installed on the gateway (policy install can be scheduled on management server too)

[jflemingeds]

Thats unsupported!

[Irek_Romaniuk]

Program can be run outside of mgmt server, only to generate dbedit files ;)

[jflemingeds]

Thats ok with me then!

[cdooer]

Any supported way to do this using the Application Control blade?

[Irek_Romaniuk]

Split tunneling is based on vpn encryption domain which from what I know can only be a group of address objects. Updating group of address objects through dbedit automation scripts is supported by Checkpoint

[PhoneBoy]

If you're basically trying to do a "route all traffic to VPN except for Office 365 traffic" then I'm afraid there's no other way to achieve this short of some scripting at the moment.
There is not currently a dynamically updated list of IP addresses integrated into the Check Point policy, though it is in the near-term plans.
However, I'm not sure it will address this specific use case.

[cdooer]

I'd love to get some opinions on what everybody else is doing with respect to O365 migrations, and other cloud based services. How is everyone else controlling access from behind a CP firewall (not referring to the VPN in this case)?