Split Tunneling

  • Updated on Feb 25, 2026
  • Published on Apr 27, 2020
  • 1 minute(s) read
  • R
  • Perimeter Support
  • m
 Prev Next

Split tunneling allows you to choose which traffic passes through the tunnel and which traffic bypasses the tunnel and accesses the resource directly.

Private network traffic is always tunneled through the cloud, based on your network tunnels and routing table settings.

To route additional addresses through the Harmony SASE cloud (for example, public resources that require inspection), specify them manually. Also specify any addresses that you want to exclude when tunneling all internet traffic.

Note:
Split tunneling by FQDN is supported only for Harmony SASE Agents 10.1.x and higher. Agents running earlier versions ignore FQDN-based split tunneling settings and revert to full tunneling.

Configuring Split Tunneling for a Network

  1. Access the Harmony SASE Administrator Portal and click Networks.
  2. Select your network.
  3. Click ... and click Split Tunneling.
    The Hybrid Split Tunneling window appears.
  4. Select one of these:

    • Tunnel all internet traffic except: Routes all internet traffic through Harmony SASE, except the destinations you specify. These destinations bypass the tunnel

    • Do not tunnel any traffic except: Routes only private network traffic through Harmony SASE. Internet traffic is sent directly to the internet, except the destinations you specify. These destinations are tunneled.

  5. In the Except for the Following Destinations, search for objects.
  6. In All Exceptions, select the required objects:
    1. Assigned: Displays the objects currently selected for this network.
    2. Subnet: Select subnet-based destination objects.
    3.  IP: Select individual IP address objects.
    4.  List: Select predefined lists that contain multiple IPs, subnets, or FQDNs.
    5.  FQDN: Select fully qualified domain name (FQDN) objects for domain-based split tunneling rules.
      For more information on creating Subnet, IP, List, and FQDN objects, see Objects.
    6.  Updatable Objects: Select dynamic object groups that automatically update their IP ranges.
      For more information, see Updatable Objects.
      Note:

      Microsoft Azure services, Amazon Web Services (AWS), and Geolocation-based Updatable Objects are not supported for Split Tunneling.

  7. Verify the selected objects under the Assigned tab.

  8. Click Apply Changes.

Note:
Processing time depends on system resources. It can take up to 3 seconds for every 500 subnets.

Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

Support Contacts

If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at sase.checkpoint.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.