Check Point - Desktop Policy / Split Tunnelling
Desktop Policy / Split Tunneling
In the world of Check Point remote access there are 2 types of clients that are used for remote VPN access. They are,
- Secure Remote – Basic Free client
- Secure Client – Non-free licensed client allowing the enforcement of desktop policies.
Within the Desktop Policy Tab of your Check Point Policy (via Smart Dashboard) you have 2 sections inbound and outbound.
In these sections you have various actions. Accept, Encrypt and Block.
- Accept – This allows traffic out unencrypted. But also includes an implicit encrypt. This means that any traffic within the encryption domain will be encrypted.
- Encrypt – Allows only this traffic through encrypted.
- Block – Simply blocks the traffic.
Below shows an example of a desktop policy. This desktop policy would allow inbound unencrypted RDP traffic.
Disabling Split tunneling
What is Split Tunneling?
Split tunneling is a term given to which a remote access VPN user can access the Internet directly, rather then traffic destined for the internet being sent down the VPN tunnel.
How to disable Split Tunneling?
Check Point enables split tunneling by default. In order to disable this you must first of all make sure your using Office mode. Below are the steps involved in disabling Split Tunneling,
- First of all configure a manual NAT rule to keep the original source address of your Remote access user if going to an internal address.
- Then add a manual NAT after this to NAT the remote users source address to you’re your gateways external IP address if destined for the internet.
3. Configure your Desktop Policy to encrypt all traffic and one below to accept all traffic.
The reason we have the accept at the bottom is to ensure that if you are not connected to the VPN the policy will still allow traffic out to the internet.
4. Add the relevant rules to your gateway security policy to allow access from the remote users IP (or username) to the internet.