CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 9 of 9

Thread: Split Tunneling based on Application Control?

  1. #1
    Join Date
    2006-10-04
    Posts
    32
    Rep Power
    0

    Default Split Tunneling based on Application Control?

    Hi there. Our company is jumping head first into the cloud, starting with O365. We have a significant user base who connects to HO remotely using the Checkpoint VPN client, and we've been really happy with it. As we migrate to O365 though, I would like to split that traffic out, so that it doesn't come across the VPN, through our Ironport WSA's, and then out to the Internet...but instead simply goes directly out the clients Internet connection.

    Obviously, doing this using IP's and subnets is not really practical, since these change randomly on Microsoft's end. I was wondering if I could do the split tunnel based on an Application Control rule? Anyone doing anything like this?

    Thx.

  2. #2
    Join Date
    2014-10-10
    Posts
    247
    Rep Power
    3

    Default Re: Split Tunneling based on Application Control?

    I developed program in Go called 'ochepist' which I use to pull list of i.e. Office 365 IP addresses from provided url and write them to the file in CP dbedit format creating group object (see g-o365 in the example below). Retrieving IPs from url and writing them to dbedit can be automated in cron script on management server (I have 77.30, not R80). I can compile it to any platform , doesn't need to run on management server, just the output has to be transported to dbedit. I will be finished with testing in a few days.

    Code:
    [Expert@provider1:0]# ./ochepist_linux_386 -url="https://minemeld/feeds/office365_IPv4s" -g="g-o365"
    wrote 357258 bytes
    [Expert@provider1:0]# head results/g-o365-dbedit.txt 
    create network_object_group g-o365
    create address_range r104.210.43.160-104.210.43.160
    modify network_objects r104.210.43.160-104.210.43.160 ipaddr_first 104.210.43.160
    modify network_objects r104.210.43.160-104.210.43.160 ipaddr_last 104.210.43.160
    modify network_objects r104.210.43.160-104.210.43.160 comments "Created by ochepist with dbedit"
    update network_objects r104.210.43.160-104.210.43.160
    addelement network_objects g-o365 '' network_objects:r104.210.43.160-104.210.43.160  
    update network_objects g-o365
    create address_range r104.41.155.129-104.41.155.129
    modify network_objects r104.41.155.129-104.41.155.129 ipaddr_first 104.41.155.129
    [Expert@provider1:0]# dbedit -local -globallock -f results/g-o365-dbedit.txt
    If that object g-o365 is part of VPN group then it will update split tunneling accordingly after policy is installed on the gateway (policy install can be scheduled on management server too)

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,371
    Rep Power
    8

    Default Re: Split Tunneling based on Application Control?

    Thats unsupported!

    Click image for larger version. 

Name:	invasion-of-the-body-snatchers-final-scene.jpg 
Views:	19 
Size:	32.5 KB 
ID:	1283

  4. #4
    Join Date
    2014-10-10
    Posts
    247
    Rep Power
    3

    Default Re: Split Tunneling based on Application Control?

    Program can be run outside of mgmt server, only to generate dbedit files ;)

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,371
    Rep Power
    8

    Default Re: Split Tunneling based on Application Control?

    Thats ok with me then!

    Click image for larger version. 

Name:	invasion-of-the-body-snatchers-final-scene.jpg 
Views:	36 
Size:	32.5 KB 
ID:	1284

  6. #6
    Join Date
    2006-10-04
    Posts
    32
    Rep Power
    0

    Default Re: Split Tunneling based on Application Control?

    Any supported way to do this using the Application Control blade?

  7. #7
    Join Date
    2014-10-10
    Posts
    247
    Rep Power
    3

    Default Re: Split Tunneling based on Application Control?

    Split tunneling is based on vpn encryption domain which from what I know can only be a group of address objects. Updating group of address objects through dbedit automation scripts is supported by Checkpoint

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,342
    Rep Power
    15

    Default Re: Split Tunneling based on Application Control?

    If you're basically trying to do a "route all traffic to VPN except for Office 365 traffic" then I'm afraid there's no other way to achieve this short of some scripting at the moment.
    There is not currently a dynamically updated list of IP addresses integrated into the Check Point policy, though it is in the near-term plans.
    However, I'm not sure it will address this specific use case.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  9. #9
    Join Date
    2006-10-04
    Posts
    32
    Rep Power
    0

    Default Re: Split Tunneling based on Application Control?

    I'd love to get some opinions on what everybody else is doing with respect to O365 migrations, and other cloud based services. How is everyone else controlling access from behind a CP firewall (not referring to the VPN in this case)?

Similar Threads

  1. Replies: 1
    Last Post: 2015-03-27, 09:36
  2. Disable Split Tunneling for Certain Clients
    By catatonic in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2012-10-29, 01:41
  3. N2TP VPN Question on Split Tunneling
    By rbuzzard in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2011-05-27, 09:16
  4. Reg. Split tunneling
    By sachden in forum SecureClient/SecuRemote
    Replies: 6
    Last Post: 2008-05-13, 19:01
  5. SecuRemote Split tunneling
    By Clon32 in forum SecureClient/SecuRemote
    Replies: 4
    Last Post: 2006-10-21, 11:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •