fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Check Point - Desktop Policy / Split Tunnelling

Desktop Policy / Split Tunneling

In the world of Check Point remote access there are 2 types of clients that are used for remote VPN access. They are,

  • Secure Remote – Basic Free client
  • Secure Client – Non-free licensed client allowing the enforcement of desktop policies.

Desktop Policy

Within the Desktop Policy Tab of your Check Point Policy (via Smart Dashboard) you have 2 sections inbound and outbound.
In these sections you have various actions. Accept, Encrypt and Block.

  • Accept – This allows traffic out unencrypted. But also includes an implicit encrypt. This means that any traffic within the encryption domain will be encrypted.  
  • Encrypt – Allows only this traffic through encrypted.
  • Block – Simply blocks the traffic.

Below shows an example of a desktop policy. This desktop policy would allow inbound unencrypted RDP traffic.



Disabling Split tunneling

What is Split Tunneling?
Split tunneling is a term given to which a remote access VPN user can access the Internet directly, rather then traffic destined for the internet being sent down the VPN tunnel.

How to disable Split Tunneling?
Check Point enables split tunneling by default. In order to disable this you must first of all make sure your using Office mode. Below are the steps involved in disabling Split Tunneling,

1. Goto the Check Point objects and Enable “Allow Secure Client to route traffic through the gateway”
 


2. You will need to configure the traffic destined for the internet is NAT`s behind a public IP.

  • First of all configure a manual NAT rule to keep the original source address of your Remote access user if going to an internal address.
  • Then add a manual NAT after this to NAT the remote users source address to you’re your gateways external IP address if destined for the internet.

3. Configure your Desktop Policy to encrypt all traffic and one below to accept all traffic.


The reason we have the accept at the bottom is to  ensure that if you are not connected to the VPN the policy will still allow traffic out to the internet.

4. Add the relevant rules to your gateway security policy to allow access from the remote users IP (or username) to the internet.

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001