Check Point – Desktop Policy / Split Tunnelling

Desktop Policy / Split Tunneling

In the world of Check Point remote access there are 2 types of clients that are used for remote VPN access. They are,

  • Secure Remote – Basic Free client
  • Secure Client – Non-free licensed client allowing the enforcement of desktop policies.

Desktop Policy

Within the Desktop Policy Tab of your Check Point Policy (via Smart Dashboard) you have 2 sections inbound and outbound.
In these sections you have various actions. Accept, Encrypt and Block.

  • Accept – This allows traffic out unencrypted. But also includes an implicit encrypt. This means that any traffic within the encryption domain will be encrypted.
  • Encrypt – Allows only this traffic through encrypted.
  • Block – Simply blocks the traffic.

Below shows an example of a desktop policy. This desktop policy would allow inbound unencrypted RDP traffic.


Disabling Split tunneling

What is Split Tunneling?
Split tunneling is a term given to which a remote access VPN user can access the Internet directly, rather then traffic destined for the internet being sent down the VPN tunnel.

How to disable Split Tunneling?
Check Point enables split tunneling by default. In order to disable this you must first of all make sure your using Office mode. Below are the steps involved in disabling Split Tunneling,

1. Goto the Check Point objects and Enable “Allow Secure Client to route traffic through the gateway”

Allow Secure Client - Enable

2. You will need to configure the traffic destined for the internet is NAT`s behind a public IP.

  • First of all configure a manual NAT rule to keep the original source address of your Remote access user if going to an internal address.
  • Then add a manual NAT after this to NAT the remote users source address to you’re your gateways external IP address if destined for the internet.

3. Configure your Desktop Policy to encrypt all traffic and one below to accept all traffic.

Configure Desktop Policy

The reason we have the accept at the bottom is to  ensure that if you are not connected to the VPN the policy will still allow traffic out to the internet.

4. Add the relevant rules to your gateway security policy to allow access from the remote users IP (or username) to the internet.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial