MENU
      Contents x
      Split Tunneling
      • 24 Feb 2025
      • 2 Minutes to read
      • Contributors
        Contents

        Split Tunneling

        • Updated on 24 Feb 2025
        • 2 Minutes to read
        • Contributors
          Article summary

          Understanding Split Tunneling

          • Split Tunneling lets specific data go through the VPN, while other data accesses the internet directly.
          • Useful for optimizing user browsing experience by selecting which traffic should be tunneled through the VPN to the SASE cloud.
          • The recommended setting is not to tunnel internet traffic through the cloud to minimize latency while keeping connectivity to private resources.

          How to Set Up Split Tunneling

          This article describes how to incorporate split tunneling into your network. 

          Private network traffic is always tunneled through the cloud, based on your network tunnels and routing table settings.

          To route additional addresses through the Harmony SASE cloud, such as public cloud resources you would like to access through SASE using whitelisting, you must specify them manually. You also need to specify any addresses you want to exclude when routing all internet traffic through the tunnel.

          To change your Split Tunneling configuration, go to Networks -> Select your network, and click on the "..." button, then "Split tunneling":

          360006609179splittunneling.png

          FQDN Split Tunneling
          Split Tunneling by FQDN is available using 10.1.x agents and above. Lower-version agents will ignore Split-Tunneling settings by FQDN and revert to full tunneling if it is defined.

          Configuring Split Tunneling for a Network

          1. Access the Harmony SASE Administrator Portal and click Networks.
          2. Select your network.
          3. Click the more icon (...) and click Split Tunneling.
                 The Hybrid SASE Settings window appears.
          4. In the Internet Traffic Tunneling section, select one of these:
            ItemDescription
            Do not tunnel internet traffic via cloudOnly private resources are tunneled through the VPN. All other traffic goes directly to the internet. This is the default setting.

            From the Except traffic to the following destinations list, select the addresses or IPs that should go through the tunnel.
            Tunnel all internet traffic via cloudAll internet traffic is tunneled through the cloud, but you can exclude specific destinations from being tunneled.

            From the Except traffic to the following destinations list, select the addresses or IPs that should not go through the tunnel when all internet traffic is being tunneled.
            Note:

            The processing time depends on the system resource. It takes up to 3 seconds for every 500 subnets.

          5. Click Apply.

          Troubleshooting

          If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

          Support Contacts

          If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.

          Was this article helpful?
          What's Next